Created
September 11, 2016 15:44
-
-
Save p0pr0ck5/73d13fc60e5f26ae4aa6ae8238f4c5d3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"access" : [ | |
{ | |
"actions" : { | |
"disrupt" : "IGNORE", | |
"nondisrupt" : [ | |
{ | |
"action" : "initcol", | |
"data" : { | |
"col" : "IP", | |
"value" : "%{REMOTE_ADDR}" | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "TX", | |
"key" : "REAL_IP", | |
"value" : "%{REMOTE_ADDR}" | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "TX", | |
"key" : "DOS_BURST_TIME_SLICE", | |
"value" : 60 | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "TX", | |
"key" : "DOS_COUNTER_THRESHOLD", | |
"value" : 3 | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "TX", | |
"key" : "DOS_BLOCK_TIMEOUT", | |
"value" : 600 | |
} | |
} | |
] | |
}, | |
"id" : "900015", | |
"opts" : { | |
"nolog" : 1 | |
}, | |
"vars" : [ | |
{ | |
"unconditional" : 1 | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "CHAIN", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"inc" : 1, | |
"key" : "DOS_BLOCK_COUNTER", | |
"value" : 1 | |
} | |
} | |
] | |
}, | |
"id" : "981044", | |
"operator" : "EQUALS", | |
"opts" : { | |
"parsepattern" : 1 | |
}, | |
"pattern" : "1", | |
"vars" : [ | |
{ | |
"parse" : { | |
"specific" : "DOS_BLOCK" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "DROP", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BLOCK_FLAG", | |
"value" : 1 | |
} | |
}, | |
{ | |
"action" : "expirevar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BLOCK_FLAG", | |
"time" : 5 | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "TX", | |
"key" : "DOS_BLOCK_COUNTER", | |
"value" : "%{IP.DOS_BLOCK_COUNTER}" | |
} | |
}, | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BLOCK_COUNTER", | |
"value" : 0 | |
} | |
} | |
] | |
}, | |
"id" : "981044", | |
"msg" : "Denial of Service (DoS) Attack Identified from %{TX.REAL_IP} (%{TX.DOS_BLOCK_COUNTER} hits since last alert)", | |
"operator" : "EQUALS", | |
"opts" : { | |
"parsepattern" : 1 | |
}, | |
"pattern" : "0", | |
"vars" : [ | |
{ | |
"length" : 1, | |
"parse" : { | |
"specific" : "DOS_BLOCK_FLAG" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "DROP", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"inc" : 1, | |
"key" : "DOS_BLOCK_COUNTER", | |
"value" : 1 | |
} | |
} | |
] | |
}, | |
"id" : "981045", | |
"operator" : "EQUALS", | |
"opts" : { | |
"nolog" : 1, | |
"parsepattern" : 1 | |
}, | |
"pattern" : "1", | |
"vars" : [ | |
{ | |
"parse" : { | |
"specific" : "DOS_BLOCK" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "DENY" | |
}, | |
"id" : "END_DOS_PROTECTION_CHECKS", | |
"op_negated" : 1, | |
"vars" : [ | |
{ | |
"unconditional" : 1 | |
} | |
] | |
} | |
], | |
"body_filter" : [ | |
{ | |
"actions" : { | |
"disrupt" : "IGNORE" | |
}, | |
"id" : "981046", | |
"operator" : "EQUALS", | |
"opts" : { | |
"nolog" : 1, | |
"parsepattern" : 1 | |
}, | |
"pattern" : "1", | |
"skip_after" : "END_DOS_PROTECTION_CHECKS", | |
"vars" : [ | |
{ | |
"parse" : { | |
"specific" : "DOS_BLOCK" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "IGNORE", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"inc" : 1, | |
"key" : "DOS_COUNTER", | |
"value" : 1 | |
} | |
} | |
] | |
}, | |
"id" : "981047", | |
"op_negated" : 1, | |
"operator" : "REGEX", | |
"opts" : { | |
"nolog" : 1 | |
}, | |
"pattern" : "\\.(jpe?g|png|gif|js|css|ico)$", | |
"vars" : [ | |
{ | |
"type" : "REQUEST_BASENAME" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "IGNORE", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"inc" : 1, | |
"key" : "DOS_BURST_COUNTER", | |
"value" : 1 | |
} | |
}, | |
{ | |
"action" : "expirevar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BURST_COUNTER", | |
"time" : "%{TX.DOS_BURST_TIME_SLICE}" | |
} | |
}, | |
{ | |
"action" : "deletevar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_COUNTER" | |
} | |
} | |
] | |
}, | |
"id" : "981048", | |
"operator" : "GREATER", | |
"opts" : { | |
"nolog" : 1, | |
"parsepattern" : 1 | |
}, | |
"pattern" : "%{TX.DOS_COUNTER_THRESHOLD}", | |
"vars" : [ | |
{ | |
"parse" : { | |
"specific" : "DOS_COUNTER" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
}, | |
{ | |
"actions" : { | |
"disrupt" : "IGNORE", | |
"nondisrupt" : [ | |
{ | |
"action" : "setvar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BLOCK", | |
"value" : 1 | |
} | |
}, | |
{ | |
"action" : "expirevar", | |
"data" : { | |
"col" : "IP", | |
"key" : "DOS_BLOCK", | |
"time" : "%{TX.DOS_BLOCK_TIMEOUT}" | |
} | |
} | |
] | |
}, | |
"id" : "981049", | |
"msg" : "Potential Denial of Service (DoS) Attack from %{TX.REAL_IP} - # of Request Bursts: %{IP.DOS_BURST_COUNTER}", | |
"operator" : "GREATER_EQ", | |
"opts" : { | |
"parsepattern" : 1 | |
}, | |
"pattern" : "2", | |
"vars" : [ | |
{ | |
"parse" : { | |
"specific" : "DOS_BURST_COUNTER" | |
}, | |
"storage" : 1, | |
"type" : "IP" | |
} | |
] | |
} | |
], | |
"header_filter" : [] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment