elastalert_rules - limithit/ModSecurity GitHub Wiki

nohup elastalert --verbose --config config.yaml >>elastalert.log 2>&1 &

cat rules/attack.yaml

name: attack
type: frequency

index: logstash-alert-*

# Alert on 5 matches in 10 minutes
num_events: 5
timeframe:
  minutes: 10
filter:
- query:
    query_string:
      query: "Attack OR Injection OR CVE- NOT (Hidden OR DROP OR Reputation OR Traffic OR Zmap)"
     # query: "request: select.+(from|limit) OR request: union(.*?)select OR request: into.+(dump|out)file OR   
     #   status: (400|404|500|501)
     #   NOT (request:_health.html OR remote_addr:1.1.1.1)"
# Silence for 5 minutes after the alert, during which time the alert will not be repeated, using the keyword 'dest_ip' as the de-duplication condition
realert:
  minutes: 5
query_key:
  - dest_ip
include:
  - alert.category
  - alert.signature
  - dest_ip
  - dest_port
  - src_ip
  - http.url

# (Required)
# The alert is use when a match is found
alert:
- "debug"
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"

dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=xxx"
dingtalk_msgtype: "text"

cat rules/waf.yaml

name: modsecurity
#type: any
type: frequency


index: modsecurity-*
num_events: 2
timeframe:
  minutes: 5

filter:
- query:
        query_string:
                query: "transaction.messages.details.ruleId: 949110 OR transaction.messages.details.ruleId: 959100 
NOT (transaction.messages.details.ruleId: 920350 OR transaction.messages.details.ruleId: 921190 OR transaction.messages.details.ruleId: 930130 OR transaction.request.headers.Host: www.sshfortress.com)" 
realert:
  minutes: 10
query_key:
  - transaction.client_ip
include:
  - transaction.messages.details.ruleId
  - transaction.request.headers.Host
  - transaction.client_ip
  - transaction.request.uri
  - transaction.response.http_code
  - transaction.host_ip
  - transaction.host_port
  - transaction.request.method
  - transaction.messages.message
  - transaction.messages.details.match
# (Required)
# The alert is use when a match is found
alert:
- "debug"
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"

dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=xxx"
dingtalk_msgtype: "text"