HIDS 30195

From Atomicorp Wiki
Jump to: navigation, search
Rule 30195
Status Active
Alert Message Multiple access forbidden file or directory events from the same IP.

Contents

Description

This rule is triggered when ASL has detected that your web server has forbidden access to a file or directory for a single IP address multiple times. This rule is triggered if this occurs 10 or more times within 60 seconds.

This event is not triggered, caused, configured or managed by ASL. ASL is simply reporting that your web server is blocking access to this file or directory.

Details

This rule is designed to detect when your web server has prevented access to a file or directory and this event has occurred multiple times from a single IP address within a short period of time (60 seconds). This can occur if the web server is configured to prevent access to this file or directory, or if the permissions on the directory or file do not allow access by the web server.

ASL does not control or cause this behavior, it merely reports when this occurs. If your web server is denying access to a file or directory, please contact your web server vendor for assistance with this issue.

ASL does not block and will not shun, by default, on these events however if you wish to have ASL shun an IP address on these events please see the Tuning Advice section below.

Disabling this rule will not prevent your web server from preventing access to this file or directory. It will simply "silence" the alert in ASL, however your web server will continue to deny access to the file or directory. We do not recommend you disable this rule.

Troubleshooting

False Positives

This rule is not caused by ASL. ASL merely reports when your web server blocks access to a file or directory

Tuning Guidance

If you wish to shun on these alerts, just set Active Response in the ASL rule manager for rule 30105 to "yes".

Disabling this rule will not prevent your web server from denying access to the file or directory. It will simply "silence" the alert in ASL. Your web server will continue to alert and/or block this activity. We do not recommend you disable this rule.

If you do not wish to see this alert, just set it to a lower level that the default in the ASL gui.

If you do not wish to be emailed on this alert, just set the rule to not email.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Example log messages

[error] [client 1.2.3.4] client denied by server configuration: /home/user/public_html/favicon.ico

Personal tools