On Tue, Sep 25, 2018 at 10:12 AM Fredrik Hilmersson <[email protected]> wrote: > > The reason why I'm wondering about the above is that my access log keep > getting spammed by these scripts and rule 31151 doesn't seem to register the > multiple 404's from same source ip. > > My question is shouldn't rule 31151 be triggered i.e., by the example below? > > Rule 31151 is set to: > > Frequency = 12
"frequency" is weird. It requires frequency + 2 to trigger. > Timeframe = 90 > > This is from access.log (12 entries example, there's more from same source > IP. All from 30-100 different requests): > > IP - - [24/Sep/2018:14:10:30 +0200] "GET /webdav/ HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:32 +0200] "GET /java.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:32 +0200] "GET /_query.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:33 +0200] "GET /test.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_cts.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:34 +0200] "GET /db_pma.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:35 +0200] "GET /logon.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:35 +0200] "GET /help-e.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /license.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /log.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:36 +0200] "GET /hell.php HTTP/1.1" 404 162 "-" > "Mozilla/5.0" > IP - - [24/Sep/2018:14:10:37 +0200] "GET /pmd_online.php HTTP/1.1" 404 162 > "-" "Mozilla/5.0" > > Den fredag 7 september 2018 kl. 14:22:17 UTC+2 skrev Fredrik Hilmersson: >> >> Hello, >> >> I noticed recently that my cloud servers has got increased requests for a >> long range of php files from same source IP. If i'm not the only one, I >> started to collect the page requests to a list. However, I seen that some of >> the requests get caught for instance by PSAD and matching signatures. I >> think the web_appsec_rules.xml might need an update though to decrease the >> amount of incoming requests. More information: >> https://github.com/featzor/ossec-rules >> >> Kind regards, >> Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
