"level 10 - High amount of POST requests in a small period of time" with ngx_pagespeed
981 views
Skip to first unread message
Chris
Jun 29, 2014, 7:23:30 AM6/29/14
to ossec...@googlegroups.com
Hi list,
running OSSEC 2.8 on a debian wheezy server together with NginX 1.6 and
the ngx_pagespeed 1.8.31.2 module fires the following OSSEC rule:
--------------------------------------------------------------------------------------------------------
OSSEC HIDS Notification.
2014 Jun 28 14:45:56
Received From: example.com->/var/log/nginx/access.log
Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
period of time (likely bot)."
Portion of the log(s):
1.2.3.4 - - [28/Jun/2014:14:45:55 +0200] "POST
/ngx_pagespeed_beacon?url=http%3A%2F%2Fwww.example.com" "Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0"
--------------------------------------------------------------------------------------------------------
It seems that this is a normal behavior when the ngx_pagespeed module is
installed as the IPs causing this POST requests are normal users of this
system.
For now i have created a local_rule:
---------------------------------------------------------
<!--group name="web,appsec,attack">
<rule id="100030" level="0">
<if_sid>31530</if_sid>
<decoded_as>web-accesslog</decoded_as>
<url>ngx_pagespeed_beacon</url>
<description>Ignore all ngx_pagespeed_beacon requests</description>
</rule>
</group-->
---------------------------------------------------------
to ignore those notifications but i'm not sure if there is a better way
to avoid such notifications.
Any help/hints/tips are welcome.
Thanks in advance for a reply.
running OSSEC 2.8 on a debian wheezy server together with NginX 1.6 and
the ngx_pagespeed 1.8.31.2 module fires the following OSSEC rule:
--------------------------------------------------------------------------------------------------------
OSSEC HIDS Notification.
2014 Jun 28 14:45:56
Received From: example.com->/var/log/nginx/access.log
Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
period of time (likely bot)."
Portion of the log(s):
1.2.3.4 - - [28/Jun/2014:14:45:55 +0200] "POST
/ngx_pagespeed_beacon?url=http%3A%2F%2Fwww.example.com" "Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0"
--------------------------------------------------------------------------------------------------------
It seems that this is a normal behavior when the ngx_pagespeed module is
installed as the IPs causing this POST requests are normal users of this
system.
For now i have created a local_rule:
---------------------------------------------------------
<!--group name="web,appsec,attack">
<rule id="100030" level="0">
<if_sid>31530</if_sid>
<decoded_as>web-accesslog</decoded_as>
<url>ngx_pagespeed_beacon</url>
<description>Ignore all ngx_pagespeed_beacon requests</description>
</rule>
</group-->
---------------------------------------------------------
to ignore those notifications but i'm not sure if there is a better way
to avoid such notifications.
Any help/hints/tips are welcome.
Thanks in advance for a reply.
dan (ddp)
Jun 30, 2014, 12:42:33 PM6/30/14
to ossec...@googlegroups.com
> Thanks in advance for a reply.
>
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Chris
Jul 13, 2014, 7:32:59 AM7/13/14
to ossec...@googlegroups.com
Hi,
>> to ignore those notifications but i'm not sure if there is a better way
>> to avoid such notifications.
>>
>> Any help/hints/tips are welcome.
>>
>
> Seems reasonable.
thanks for your reply. Running this now for some weeks and have not seen
any issues with this local rule.
>> to ignore those notifications but i'm not sure if there is a better way
>> to avoid such notifications.
>>
>> Any help/hints/tips are welcome.
>>
>
> Seems reasonable.
any issues with this local rule.
Reply all
Reply to author
Forward
0 new messages