rules/linux/modsecurity/modsec_mulitple_blocks.yml

title: Multiple Modsecurity Blocks
id: a06eea10-d932-4aa6-8ba9-186df72c8d23
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
logsource:
    product: linux
    service: modsecurity
detection:
    selection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
    timeframe: 120m 
    condition: selection | count() > 6
falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
level: medium
ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00			`title: Multiple Modsecurity Blocks`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: a06eea10-d932-4aa6-8ba9-186df72c8d23`
			`description: Detects multiple blocks by the mod_security module (Web Application Firewall)`
ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00			`logsource:`
			`product: linux`
			`service: modsecurity`
			`detection:`
			`selection:`
			`- 'mod_security: Access denied'`
			`- 'ModSecurity: Access denied'`
			`- 'mod_security-message: Access denied'`
			`timeframe: 120m`
			`condition: selection \| count() > 6`
			`falsepositives:`
			`- Vulnerability scanners`
			`- Frequent attacks if system faces Internet`
			`level: medium`