Hi DM,
It is very well possible. We already have rules like that for some
protocols, like
ftp, ssh ,etc but it can be easily expanded to others.
Example of rules like that (for ftpd):
<rule id="11452" level="10" frequency="10" timeframe="60">
<if_matched_sid>11401</if_matched_sid>
<same_source_ip />
<description>Multiple FTP connection attempts from </description>
<description>same source IP.</description>
<group>recon,</group>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 6/15/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Can Ossec do DDOS protection?
> How can we set rule where if there are too many requests/connection say
> "200"from same IP of any kind let it be http,smtp,ftp,ssh etc it block the
> IP for 'x' time.
>
> Thanks
> Regards,
> DM
>
>
>
