|
From: Ervin H. <ai...@gm...> - 2019-04-15 11:37:41
|
Hi Boris,
On Sun, Apr 14, 2019 at 09:36:15PM +0200, Boris Kočar wrote:
> Hello,
>
> I'm digging through internet to find out about how to parse JSON response
> and create the rule.
>
> To be more specific here is a layout:
> 1. Layer 1 Nginx with Modsecurity
> 2. Layer 2 Application server
> 3. Layer 3 ....
>
> Scenario:
> when user try to do some illegal things which is known only to application
> server where is all the business. Let say for example spray password
> attack.
>
> What I like to establish on Modsecurity:
> Application server will send back json response with code 401 and json {IP:
> a.t.t.a.c.k.e.r i.p}, Modsecurity would catch response, see code (e.g.
> 401), parse json body and put that IP on black list for xy minutes.
I think you can't do that. If ModSecurity could parse the
"external" JSON source for rules, then it would still be the
problem, that you have to restart the Layer 1 components to
activate the rule after every update.
I think that you're looking for something, which closer eg. to
fail2ban, or any IDS (Intrusion Detection System).
Hope this helps,
a.
|
