Thanks a lot for your help ! I have written <url>^/socket.io</url> instead of <url>^/socket.io/</url> (I have removed the `/`) and it works !!
Le vendredi 23 mars 2018 13:46:26 UTC+1, [email protected] a écrit : > > Hi Marc. > > Your rule seems to be correct, I can't figure out why is not working. > Maybe the pre-decoder is not being able to extract automatically the url > field, so it will never have any matching. > > Also, ensure to put your custom rule in a group at your local_rules file. > > Can you paste here some of the logs that created those alerts? That way we > will know more accurately what is going on and solve your problem. > > Regards, > > Fran G. > > On Thursday, March 15, 2018 at 10:34:00 AM UTC+1, [email protected] wrote: >> >> Hi, >> >> I need to add to my local rules exceptions for theses 2 recurring >> problems : >> >> Rule: 31533 (level 10) -> 'High amount of POST requests in a small period >> of time (likely bot).' >> ""POST /socket.io/?EIO=3&transport=p.... >> >> Rule: 31533 fired (level 10) -> "High amount of POST requests in a small >> period of time (likely bot)." >> "POST >> /index.php?date=yesterday&module=Live&action=getLastVisitsStart&segment=&idSite=1&period=day >> >> >> >> For the first on, I have added : >> >> <rule id="100014" level="0"> >> <if_sid>31533</if_sid> >> <url>^/socket.io/</url> >> <description>Ignoring Humhub Polls module activation events, >> phpMyAdmin and HackMd (socket.io).</description> >> </rule> >> >> But it doesn't work... >> And for the second one, as it starts with /index.php I don't know what to >> put. >> >> An idea ? >> Thanks a lot for your help, >> Marc. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
