Good job. Also, you can block the IP using active response <https://blog.wazuh.com/blocking-attacks-active-response/>.
Regards. On Monday, June 26, 2017 at 11:12:02 AM UTC+2, Fredrik Hilmersson wrote: > > Hello Jesus, > > So, I think I've got the rule to work. > > 1. Rule: > > <rule id="100205" level="0"> > <if_sid>31101</if_sid> > <decoded_as>web-accesslog</decoded_as> > <match> Jorgee$</match> > <description>Jorgee vulnerability scanner</description> > </rule> > > 2. Logtest output: > > SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD http://HOSTIP:80/phpmyadmin4/ > HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee > > **Phase 1: Completed pre-decoding. > full event: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD > http://HOSTIP:80/phpmyadmin4/ > HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' > > hostname: 'agent-id' > program_name: '(null)' > log: 'SRCIP - - [26/Jun/2017:08:38:43 +0200] "HEAD > http://HOSTIP:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee' > > **Phase 2: Completed decoding. > > decoder: 'web-accesslog' > srcip: 'SRCIP' > url: 'http://HOSTIP:80/phpmyadmin4/' > id: '404' > > **Phase 3: Completed filtering (rules). > > Rule id: '100205' > Level: '0' > Description: 'Jorgee vulnerability scanner' > > Kind regards, > Fredrik > > Den måndag 26 juni 2017 kl. 10:48:16 UTC+2 skrev Jesus Linares: >> >> What is the output of ossec-logtest?. >> >> Once you have a rule for that event, you can create an active response. >> >> Regards. >> >> On Sunday, June 25, 2017 at 12:06:23 AM UTC+2, Fredrik Hilmersson wrote: >>> >>> I spoke to early, Still getting spammed ... >>> >>> Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson: >>>> >>>> Thank you! >>>> >>>> Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): >>>>> >>>>> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson >>>>> <f.hilm...@worldclearing.org> wrote: >>>>> > Hello, >>>>> > >>>>> > so recently I got spammed by this vulnerability scanner. >>>>> > The HEAD is always the same, in regards to the $user_agent, Jorgee >>>>> > >>>>> > ** Alert 1498324205.1278330: - web,accesslog, >>>>> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log >>>>> > Rule: 31101 (level 5) -> 'Web server 400 error code.' >>>>> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD >>>>> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 >>>>> Jorgee >>>>> > >>>>> > So i'm wondering if anyone has a good idea or rule how to block/ban >>>>> these >>>>> > attempts? >>>>> > >>>>> > Kind regards, >>>>> > Fredrik >>>>> > >>>>> >>>>> Possibly something like: >>>>> <rule id="999999" level="0"> >>>>> <decoded_as>nginx-errorlog</decoded_as> >>>>> <match> Jorgee$</match> >>>>> <description>Jorgee is loud</description> >>>>> </rule> >>>>> >>>>> >>>>> > -- >>>>> > >>>>> > --- >>>>> > You received this message because you are subscribed to the Google >>>>> Groups >>>>> > "ossec-list" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an >>>>> > email to ossec-list+...@googlegroups.com. >>>>> > For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.