[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: DDOS protection
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: DDOS protection
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Sun, 24 Jun 2007 20:46:14 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JZnz7pGdzDrEViTAuCPB5KMiM7UO89PBs9PH+JfcJfe9WcaWC5ZJMpi1ypsKaA3Ri1Gd4MaC5+OJF4j/YUDbaRom7w6NOgdPJYGXXC8RE14+VdfTVFGslDih/469LX+g3gs5NYGoFS5NXzSO0WUeoTDAE0/m6WZw1uCzx6gRSrY=
Hi DM,
It is very well possible. We already have rules like that for some
protocols, like
ftp, ssh ,etc but it can be easily expanded to others.
Example of rules like that (for ftpd):
<rule id="11452" level="10" frequency="10" timeframe="60">
<if_matched_sid>11401</if_matched_sid>
<same_source_ip />
<description>Multiple FTP connection attempts from </description>
<description>same source IP.</description>
<group>recon,</group>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/15/07, deltamails@xxxxxxxxx <deltamails@xxxxxxxxx> wrote:
>
> Can Ossec do DDOS protection?
> How can we set rule where if there are too many requests/connection say
> "200"from same IP of any kind let it be http,smtp,ftp,ssh etc it block the
> IP for 'x' time.
>
> Thanks
> Regards,
> DM
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.