Just change the location of your open command to point to your Apache error_log like this –
open STDERR, ">>/path/to/apache/logs/error_log";
Now, once httpd-guardian takes action, you will see entries like this in your error_log file –
httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec)
httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from 127.0.0.1
The 2nd line above is from my own “test” configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall.
# If defined, execute this command when a threshold is reached
# block the IP address for one hour.
# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";
# For testing only:
# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";
$PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s";
The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action.
Hope this helps.
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series: