Hi there,
Someone attack my server from different ip at the same time and http-probing scenario does not ban it.
They make request to my server by its hostname (I even do not know how make it unavailable to everyone because it is auto-generated page by webuzo cPanel )
Frequantly, url request contains wp-login, wp-includes, wp-content so I want ban this ip as soon as parser find this in logs.
Mine scenario does not work:
#contributed by daria-zadorozhna
type: trigger
name: daria-zadorozhna/http-wp-files
description: "detect wp-files"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path contains '/wp-'"
groupby: evt.Meta.source_ip
blackhole: 5m
labels:
service: http
type: scan
remediation: true
Could anyone help me write right scenario?