I receive other alerts so at least I know it is partially configured correctly.
The apache log file entries look something like this: 70.55.163.53 - - [05/Jun/2014:08:46:36 -0400] "GET /path/to/file/captcha.php HTTP/1.1" 200 thanks On Thursday, June 5, 2014 11:55:09 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Jun 5, 2014 at 11:44 AM, Lou <[email protected] <javascript:>> > wrote: > > I'm new to OSSEC and have recently installed it on some web servers that > are > > being 'abused'. Every 15-20 seconds the user is accessing the captcha > file > > and i believe he is using an OCR tool to bypass it. I was under the > impression > > that OSSEC would detect this automatically with it's included rules and > send > > me a notification (similar to DOS attack). This does not seem to be the > > case. Do i need to create a specific rule for this? Or do i have > something > > mis-configured? I would appreciate any help. > > > > There's probably no rule for it. You can use the ossec-logtest program > to help create rules for these events. Giving us log samples can also > help. > There is definitely a possibility for misconfiguration though. Without > knowing how your systems are configured, it's hard to tell. > > > Thanks! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
