Difference between revisions of "HIDS 60205"
m |
m |
||
| Line 13: | Line 13: | ||
'''Description''' | '''Description''' | ||
| − | This rule detects when the mod_evasive module | + | This rule detects when the thresholds you have configured for the mod_evasive module are triggered. mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds). |
| + | |||
| + | These thresholds are configurable through ASL. | ||
'''False Positives''' | '''False Positives''' | ||
| Line 19: | Line 21: | ||
This rule can be falsely triggered if the configured thresholds for the system have been exceeded. | This rule can be falsely triggered if the configured thresholds for the system have been exceeded. | ||
| − | If you believe that | + | If you believe that the thresholds are too low for your system, please see the Solutions section below. |
'''Solutions''' | '''Solutions''' | ||
Revision as of 13:14, 6 December 2012
Rule ID
60205
Status
Active rule currently published.
Message Example'
hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.
Description
This rule detects when the thresholds you have configured for the mod_evasive module are triggered. mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds).
These thresholds are configurable through ASL.
False Positives
This rule can be falsely triggered if the configured thresholds for the system have been exceeded.
If you believe that the thresholds are too low for your system, please see the Solutions section below.
Solutions
Please see the Mod_evasive wiki page for detailed guidance.
Solution 1: Increase the thresholds for mod_evasive to be less sensitive
Solution 3: Disable mod_evasive
Similar Rules
None.
