Created
September 11, 2016 15:44
-
-
Save p0pr0ck5/73d13fc60e5f26ae4aa6ae8238f4c5d3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "access" : [ | |
| { | |
| "actions" : { | |
| "disrupt" : "IGNORE", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "initcol", | |
| "data" : { | |
| "col" : "IP", | |
| "value" : "%{REMOTE_ADDR}" | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "TX", | |
| "key" : "REAL_IP", | |
| "value" : "%{REMOTE_ADDR}" | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "TX", | |
| "key" : "DOS_BURST_TIME_SLICE", | |
| "value" : 60 | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "TX", | |
| "key" : "DOS_COUNTER_THRESHOLD", | |
| "value" : 3 | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "TX", | |
| "key" : "DOS_BLOCK_TIMEOUT", | |
| "value" : 600 | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "900015", | |
| "opts" : { | |
| "nolog" : 1 | |
| }, | |
| "vars" : [ | |
| { | |
| "unconditional" : 1 | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "CHAIN", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "inc" : 1, | |
| "key" : "DOS_BLOCK_COUNTER", | |
| "value" : 1 | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981044", | |
| "operator" : "EQUALS", | |
| "opts" : { | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "1", | |
| "vars" : [ | |
| { | |
| "parse" : { | |
| "specific" : "DOS_BLOCK" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "DROP", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BLOCK_FLAG", | |
| "value" : 1 | |
| } | |
| }, | |
| { | |
| "action" : "expirevar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BLOCK_FLAG", | |
| "time" : 5 | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "TX", | |
| "key" : "DOS_BLOCK_COUNTER", | |
| "value" : "%{IP.DOS_BLOCK_COUNTER}" | |
| } | |
| }, | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BLOCK_COUNTER", | |
| "value" : 0 | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981044", | |
| "msg" : "Denial of Service (DoS) Attack Identified from %{TX.REAL_IP} (%{TX.DOS_BLOCK_COUNTER} hits since last alert)", | |
| "operator" : "EQUALS", | |
| "opts" : { | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "0", | |
| "vars" : [ | |
| { | |
| "length" : 1, | |
| "parse" : { | |
| "specific" : "DOS_BLOCK_FLAG" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "DROP", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "inc" : 1, | |
| "key" : "DOS_BLOCK_COUNTER", | |
| "value" : 1 | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981045", | |
| "operator" : "EQUALS", | |
| "opts" : { | |
| "nolog" : 1, | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "1", | |
| "vars" : [ | |
| { | |
| "parse" : { | |
| "specific" : "DOS_BLOCK" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "DENY" | |
| }, | |
| "id" : "END_DOS_PROTECTION_CHECKS", | |
| "op_negated" : 1, | |
| "vars" : [ | |
| { | |
| "unconditional" : 1 | |
| } | |
| ] | |
| } | |
| ], | |
| "body_filter" : [ | |
| { | |
| "actions" : { | |
| "disrupt" : "IGNORE" | |
| }, | |
| "id" : "981046", | |
| "operator" : "EQUALS", | |
| "opts" : { | |
| "nolog" : 1, | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "1", | |
| "skip_after" : "END_DOS_PROTECTION_CHECKS", | |
| "vars" : [ | |
| { | |
| "parse" : { | |
| "specific" : "DOS_BLOCK" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "IGNORE", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "inc" : 1, | |
| "key" : "DOS_COUNTER", | |
| "value" : 1 | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981047", | |
| "op_negated" : 1, | |
| "operator" : "REGEX", | |
| "opts" : { | |
| "nolog" : 1 | |
| }, | |
| "pattern" : "\\.(jpe?g|png|gif|js|css|ico)$", | |
| "vars" : [ | |
| { | |
| "type" : "REQUEST_BASENAME" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "IGNORE", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "inc" : 1, | |
| "key" : "DOS_BURST_COUNTER", | |
| "value" : 1 | |
| } | |
| }, | |
| { | |
| "action" : "expirevar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BURST_COUNTER", | |
| "time" : "%{TX.DOS_BURST_TIME_SLICE}" | |
| } | |
| }, | |
| { | |
| "action" : "deletevar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_COUNTER" | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981048", | |
| "operator" : "GREATER", | |
| "opts" : { | |
| "nolog" : 1, | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "%{TX.DOS_COUNTER_THRESHOLD}", | |
| "vars" : [ | |
| { | |
| "parse" : { | |
| "specific" : "DOS_COUNTER" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| }, | |
| { | |
| "actions" : { | |
| "disrupt" : "IGNORE", | |
| "nondisrupt" : [ | |
| { | |
| "action" : "setvar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BLOCK", | |
| "value" : 1 | |
| } | |
| }, | |
| { | |
| "action" : "expirevar", | |
| "data" : { | |
| "col" : "IP", | |
| "key" : "DOS_BLOCK", | |
| "time" : "%{TX.DOS_BLOCK_TIMEOUT}" | |
| } | |
| } | |
| ] | |
| }, | |
| "id" : "981049", | |
| "msg" : "Potential Denial of Service (DoS) Attack from %{TX.REAL_IP} - # of Request Bursts: %{IP.DOS_BURST_COUNTER}", | |
| "operator" : "GREATER_EQ", | |
| "opts" : { | |
| "parsepattern" : 1 | |
| }, | |
| "pattern" : "2", | |
| "vars" : [ | |
| { | |
| "parse" : { | |
| "specific" : "DOS_BURST_COUNTER" | |
| }, | |
| "storage" : 1, | |
| "type" : "IP" | |
| } | |
| ] | |
| } | |
| ], | |
| "header_filter" : [] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment