Difference between revisions of "HIDS 60205"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 1: Line 1:
'''Rule ID'''
+
{{Infobox
 +
|header1= Rule 60205
 +
|label2 = Status
 +
|data2 = Active
 +
|label3 = Alert Message
 +
|data3 = Configured tresholds exceeded - Possible DoS attack
 +
}}
  
60205
+
= Description =
  
'''Status'''
+
''Log Example'''
  
Active rule currently published.
+
''hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.''  
 
+
''Message Example'''
+
 
+
hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.  
+
 
+
'''Description'''
+
  
 
This rule detects when the thresholds you have configured for the mod_evasive module are triggered.  mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds).   
 
This rule detects when the thresholds you have configured for the mod_evasive module are triggered.  mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds).   
Line 17: Line 17:
 
These thresholds are configurable through ASL.
 
These thresholds are configurable through ASL.
  
'''False Positives'''
+
= Troubleshooting =
 +
 
 +
== False Positives ==
  
 
This rule can be falsely triggered if the configured thresholds for the system have been exceeded.
 
This rule can be falsely triggered if the configured thresholds for the system have been exceeded.
Line 23: Line 25:
 
If you believe that the thresholds are too low for your system, please see the Solutions section below.
 
If you believe that the thresholds are too low for your system, please see the Solutions section below.
  
'''Solutions'''
+
== Solutions ==
  
 
Please see the [[Mod_evasive]] wiki page for detailed guidance.
 
Please see the [[Mod_evasive]] wiki page for detailed guidance.
Line 33: Line 35:
 
[https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_3:_Disable_mod_evasive_entirely Solution 3: Disable mod_evasive]
 
[https://www.atomicorp.com/wiki/index.php/Mod_evasive#Solution_3:_Disable_mod_evasive_entirely Solution 3: Disable mod_evasive]
  
'''Similar Rules'''
+
= Additional Information =
 +
 
 +
== Similar Rules ==
  
 
None.
 
None.
 +
 +
== Knowledge Base Articles==
 +
 +
None.
 +
 +
== Outside References ==
 +
 +
None.
 +
 +
== Notes ==

Revision as of 14:18, 6 December 2012

Rule 60205
Status Active
Alert Message Configured tresholds exceeded - Possible DoS attack

Contents

Description

Log Example'

hostname mod_evasive[12345]: Blacklisting address 1.2.3.4: possible DoS attack.

This rule detects when the thresholds you have configured for the mod_evasive module are triggered. mod_evasive is a Denial Of Service detection module for apache, it detects when an IP address exceeds a connection threshold (Example: X connections in Y seconds, or X accesses for the same page from a single IP in Y seconds).

These thresholds are configurable through ASL.

Troubleshooting

False Positives

This rule can be falsely triggered if the configured thresholds for the system have been exceeded.

If you believe that the thresholds are too low for your system, please see the Solutions section below.

Solutions

Please see the Mod_evasive wiki page for detailed guidance.

Solution 1: Increase the thresholds for mod_evasive to be less sensitive

Solution 2: Whitelist the IP

Solution 3: Disable mod_evasive

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Personal tools