Topic: Using OSSEC to detect / block the XMLRPC.PHP attack.
The basis of this post came from this persons blog. A big thanks to he/she/it for the info!
For my purposes however, I made a couple small changes.
First, for some reason, the Apache log was being tagged a a pureftp-transfer decode. Since I dont run PureFTP, I simply disabled this decoder and removed the pure xml config file from ossec.conf.
I added the below config to the local rules file, but also included the group name to make sure it was added to web,accesslog.
<group name="web,accesslog,"> <rule id="100167" level="1"> <if_sid>31108</if_sid> <url>xmlrpc.php</url> <match>POST</match> <description>WordPress xmlrpc attempt.</description> </rule> <rule id="100168" level="10" frequency="2" timeframe="600"> <if_matched_sid>100167</if_matched_sid> <same_source_ip /> <description>WordPress xmlrpc attack.</description> <group>attack,</group> </rule> </group> <!-- Web access log -->
Leave a Reply
You must be logged in to post a comment.