Hi Marc. Your rule seems to be correct, I can't figure out why is not working. Maybe the pre-decoder is not being able to extract automatically the url field, so it will never have any matching.
Also, ensure to put your custom rule in a group at your local_rules file. Can you paste here some of the logs that created those alerts? That way we will know more accurately what is going on and solve your problem. Regards, Fran G. On Thursday, March 15, 2018 at 10:34:00 AM UTC+1, [email protected] wrote: > > Hi, > > I need to add to my local rules exceptions for theses 2 recurring problems > : > > Rule: 31533 (level 10) -> 'High amount of POST requests in a small period > of time (likely bot).' > ""POST /socket.io/?EIO=3&transport=p.... > > Rule: 31533 fired (level 10) -> "High amount of POST requests in a small > period of time (likely bot)." > "POST > /index.php?date=yesterday&module=Live&action=getLastVisitsStart&segment=&idSite=1&period=day > > > > For the first on, I have added : > > <rule id="100014" level="0"> > <if_sid>31533</if_sid> > <url>^/socket.io/</url> > <description>Ignoring Humhub Polls module activation events, > phpMyAdmin and HackMd (socket.io).</description> > </rule> > > But it doesn't work... > And for the second one, as it starts with /index.php I don't know what to > put. > > An idea ? > Thanks a lot for your help, > Marc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
