elastalert_rules - limithit/ModSecurity GitHub Wiki
nohup elastalert --verbose --config config.yaml >>elastalert.log 2>&1 &
cat rules/attack.yaml
name: attack
type: frequency
index: logstash-alert-*
# Alert on 5 matches in 10 minutes
num_events: 5
timeframe:
minutes: 10
filter:
- query:
query_string:
query: "Attack OR Injection OR CVE- NOT (Hidden OR DROP OR Reputation OR Traffic OR Zmap)"
# query: "request: select.+(from|limit) OR request: union(.*?)select OR request: into.+(dump|out)file OR
# status: (400|404|500|501)
# NOT (request:_health.html OR remote_addr:1.1.1.1)"
# Silence for 5 minutes after the alert, during which time the alert will not be repeated, using the keyword 'dest_ip' as the de-duplication condition
realert:
minutes: 5
query_key:
- dest_ip
include:
- alert.category
- alert.signature
- dest_ip
- dest_port
- src_ip
- http.url
# (Required)
# The alert is use when a match is found
alert:
- "debug"
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=xxx"
dingtalk_msgtype: "text"
cat rules/waf.yaml
name: modsecurity
#type: any
type: frequency
index: modsecurity-*
num_events: 2
timeframe:
minutes: 5
filter:
- query:
query_string:
query: "transaction.messages.details.ruleId: 949110 OR transaction.messages.details.ruleId: 959100
NOT (transaction.messages.details.ruleId: 920350 OR transaction.messages.details.ruleId: 921190 OR transaction.messages.details.ruleId: 930130 OR transaction.request.headers.Host: www.sshfortress.com)"
realert:
minutes: 10
query_key:
- transaction.client_ip
include:
- transaction.messages.details.ruleId
- transaction.request.headers.Host
- transaction.client_ip
- transaction.request.uri
- transaction.response.http_code
- transaction.host_ip
- transaction.host_port
- transaction.request.method
- transaction.messages.message
- transaction.messages.details.match
# (Required)
# The alert is use when a match is found
alert:
- "debug"
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=xxx"
dingtalk_msgtype: "text"