Difference between revisions of "HIDS 60205"
(Created page with "'''Rule ID''' 60205 '''Status''' Active rule currently published. ''Message Example''' hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack. '''...") |
m (→Notes) |
||
(5 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | + | {{Infobox | |
+ | |header1= Rule 60205 | ||
+ | |label2 = Status | ||
+ | |data2 = Active | ||
+ | |label3 = Alert Message | ||
+ | |data3 = Configured tresholds exceeded - Possible DoS attack | ||
+ | }} | ||
− | + | = Description = | |
− | '' | + | ''Log Example''' |
− | + | ''hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.'' | |
− | + | This rule detects when the thresholds you have configured for the mod_evasive module are exceeded. This may be a DOS attack, or this may mean that you need to increase the thresholds for your system. For example, faster systems can handle more connections than slower systems. | |
− | + | mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds). These thresholds are configurable through ASL. | |
− | + | = Troubleshooting = | |
− | + | == False Positives == | |
− | + | ||
− | + | ||
This rule can be falsely triggered if the configured thresholds for the system have been exceeded. | This rule can be falsely triggered if the configured thresholds for the system have been exceeded. | ||
− | If you believe that | + | If you believe that the thresholds are too low for your system, please see the Solutions section below. |
− | + | == Solutions == | |
Please see the [[Mod_evasive]] wiki page for detailed guidance. | Please see the [[Mod_evasive]] wiki page for detailed guidance. | ||
− | + | [https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_1:_Increase_the_thresholds_for_mod_evasive_to_be_less_sensitive Solution 1: Increase the thresholds for mod_evasive to be less sensitive] | |
+ | |||
+ | [https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_2:_Whitelist_the_IPs Solution 2: Whitelist the IP] | ||
+ | |||
+ | [https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_3:_Disable_mod_evasive_entirely Solution 3: Disable mod_evasive] | ||
+ | |||
+ | = Additional Information = | ||
+ | |||
+ | == Similar Rules == | ||
None. | None. | ||
+ | |||
+ | == Knowledge Base Articles== | ||
+ | |||
+ | None. | ||
+ | |||
+ | == Outside References == | ||
+ | |||
+ | None. | ||
+ | |||
+ | == Notes == | ||
+ | |||
+ | This event does not produce an audit log entry, as it does not use mod_security. |
Latest revision as of 14:16, 11 November 2013
Rule 60205 | |
---|---|
Status | Active |
Alert Message | Configured tresholds exceeded - Possible DoS attack |
Contents |
[edit] Description
Log Example'
hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.
This rule detects when the thresholds you have configured for the mod_evasive module are exceeded. This may be a DOS attack, or this may mean that you need to increase the thresholds for your system. For example, faster systems can handle more connections than slower systems.
mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds). These thresholds are configurable through ASL.
[edit] Troubleshooting
[edit] False Positives
This rule can be falsely triggered if the configured thresholds for the system have been exceeded.
If you believe that the thresholds are too low for your system, please see the Solutions section below.
[edit] Solutions
Please see the Mod_evasive wiki page for detailed guidance.
Solution 1: Increase the thresholds for mod_evasive to be less sensitive
Solution 3: Disable mod_evasive
[edit] Additional Information
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.
[edit] Notes
This event does not produce an audit log entry, as it does not use mod_security.