We are getting a false alert: Received From: domain->/var/log/nginx/access.log Rule: 31533 fired (level 10) -> "High amount of POST requests in a small period of time (likely bot)." Src IP: 95.145.175.32 Portion of the log(s):
95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 2925 "https://www.domain.com/guides/ <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" 95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 7015 "https://www.domain.com/guides <https://www.royist.com/guides/london-luxury-guide/>/ <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" 95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 6651 "https://www.domain.com/guides <https://www.royist.com/guides/london-luxury-guide/>/ <https://www.royist.com/guides/london-luxury-guide/>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36" This causes normal visitors IPs to get blocked. How can we add an exception for this rule? Thanking you in advance, Andrew -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/71c9422a-dbc2-483b-873e-98b9a74a0520n%40googlegroups.com.
