You should look at your logs and see what is triggering the 400's and fix that issue if it is a server side issue.
On Tue, Jan 24, 2012 at 01:19, Damien Hull <dh...@section9.us> wrote: > On Mon, Jan 23, 2012 at 4:19 PM, Jason 'XenoPhage' Frisvold > <xenoph...@godshell.com> wrote: >> On Jan 23, 2012, at 5:05 PM, Damien Hull wrote: >>> I have ossec 2.6 running on Ubuntu 10.04 LTS. This is a web server >>> running LAMP.... >>> >>> There are several websites on this server. Every now and then OSSEC >>> will block an IP address for accessing a website. This is not an >>> attack of any kind. I've had it happen to me. I'll access a website on >>> the server and bam, blocked. >>> >>> I have it configured to unblock the IP after 10 minutes. I figured >>> after 10 minutes a hacker will get tired and move on. I don't want >>> this to happen with users of my server. >>> >>> Is there a way to configure OSSEC so this doesn't happen? I've never >>> taken the time to tweak OSSEC.... >>> >>> NOTE >>> The latest alert was for Moodle. I'm guessing a user clicked on >>> something and OSSEC didn't like it... >> >> >> It blocks for a reason. If you can provide the alert it sent, that would go >> a long way to identifying what it's seeing as bad. It's probably something >> simple. I haven't had a chance to fully test Moodle as of yet, but I expect >> there will be a number of items that need to be handled in order to make it >> all run smoothly. Incidentally, is this Moodle 1 or 2? >> >> --------------------------- >> Jason 'XenoPhage' Frisvold >> xenoph...@godshell.com >> --------------------------- >> "Any sufficiently advanced magic is indistinguishable from technology." >> - Niven's Inverse of Clarke's Third Law >> >> >> > > I just found the alert in my ticket system. Here's the new info... > > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes > from same source ip." > 1. It looks like this rule caused OSSEC to block the IP Address > 2. Here's the config from web_rules.xml. Notice the 31101. That's why > I thought 31101 was the problem. > > <rule id="31151" level="10" frequency="10" timeframe="120"> > <if_matched_sid>31101</if_matched_sid> > <same_source_ip /> > <description>Mutiple web server 400 error codes </description> > <description>from same source ip.</description> > <group>web_scan,recon,</group> > </rule> > > Questions: > 1. Should I modify this? > 2. If so what would be a good modification? -- Registered Linux User # 379282