Difference between revisions of "HIDS 60205"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 21: Line 21:
 
If you believe that this is a false positive, then either disable the DOS protections in ASL, increase the thresholds or whitelist the IP.  The section below provides a link to the process for doing this.
 
If you believe that this is a false positive, then either disable the DOS protections in ASL, increase the thresholds or whitelist the IP.  The section below provides a link to the process for doing this.
  
'''Tuning Recommendations'''
+
'''Solutions'''
  
 
Please see the [[Mod_evasive]] wiki page for detailed guidance.
 
Please see the [[Mod_evasive]] wiki page for detailed guidance.
 +
 +
[https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_1:_Increase_the_thresholds_for_mod_evasive_to_be_less_sensitive Solution 1:  Increase the thresholds for mod_evasive to be less sensitive]
 +
 +
[https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_2:_Whitelist_the_IPs Solution 2: Whitelist the IP]
 +
 +
[https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_3:_Disable_mod_evasive_entirely Solution 3: Disable mod_evasive]
  
 
'''Similar Rules'''
 
'''Similar Rules'''
  
 
None.
 
None.

Revision as of 13:13, 6 December 2012

Rule ID

60205

Status

Active rule currently published.

Message Example'

hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.

Description

This rule detects when the mod_evasive module is triggered. mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds).

False Positives

This rule can be falsely triggered if the configured thresholds for the system have been exceeded.

If you believe that this is a false positive, then either disable the DOS protections in ASL, increase the thresholds or whitelist the IP. The section below provides a link to the process for doing this.

Solutions

Please see the Mod_evasive wiki page for detailed guidance.

Solution 1: Increase the thresholds for mod_evasive to be less sensitive

Solution 2: Whitelist the IP

Solution 3: Disable mod_evasive

Similar Rules

None.

Personal tools