Level 10 - High amount of POST requests in a small period of time (likely bot)

[Andrew S]

We are getting a false alert:

Received From: domain->/var/log/nginx/access.log
Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
 period of time (likely bot)."
Src IP: 95.145.175.32
Portion of the log(s):

95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST
 /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 2925
 "https://www.domain.com/guides/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"

95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST
 /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 7015
 "https://www.domain.com/guides/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"
95.145.175.32 - - [22/Nov/2020:14:20:47 +0000] "POST
 /?wpgb-ajax=wpgb_front&action=render HTTP/1.1" 200 6651
 "https://www.domain.com/guides/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36"

This causes normal visitors IPs to get blocked. How can we add an exception for this rule?

Thanking you in advance,

Andrew

[Yana Zaeva]

Hi Andrew,

Sorry for the late response. A rule function is to basically, let you know what is happening in your environment, but this rule will not block normal visitors IP just because it was triggered. Have you checked if the Active Response module is active? If you have something similar to the following lines, probably that is what is causing the IPs to get blocked:

Example 1:

<command>

  <name>firewall-drop</command>

  <executable>firewall-drop.sh</executable> 

  <expect>srcip</expect> 

</command>  

This is a command to run the firewall-drop.sh script to block the srcip.

Example 2:

<active-response>

  <command>makelists</command>

  <location>server</location>

  <rules_id>31533</rules_id>

</active-response>

This active-response will run the makelists command to update the CDB lists.  The CDB are used to create a white/black list of users, file hashes, IPs or domain names.

You can check more information about CDB lists here: https://documentation.wazuh.com/4.0/user-manual/ruleset/cdb-list.html

Also, regarding the examples, there are loads of other configurations for Active Response that could match yours. You can check them in here: https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html

Lastly, if you want to just remove the rule you can copy the entire file to which this rule belongs (the path should be /var/ossec/ruleset/rules/0270-web_appsec_rules.xml), to the /var/ossec/etc/rules/ directory, change this file's name (very important!) and delete this rule from this file. You can copy the file running this command:

cp /var/ossec/ruleset/rules/0270-web_appsec_rules.xml /var/ossec/etc/rules/new_name.xml

Then, with any editor (nano, vim...) feel free to delete the rule 31533. The last step would be to go to the ossec.conf file and add the line:

<rule_exclude>0215-policy_rules.xml</rule_exclude>  

to the <ruleset> module. After this, restart the manager and you will never see this rule triggering again. You can check this link for further information about excluding rules: https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/ruleset.html#rule-exclude

Hope I was helpful. Do not hesitate to contact us if you have any doubt.

Yana.