Reduce email notification improvement

Post Reply
Junior Member
Posts: 6
Joined: 21 Feb 2018, 23:13

Reduce email notification improvement

Post by biadmin »

I would like to see an intermediate option between receiving all ModSecurity alerts for upload attempts to URL'S that don't exist (Recommended by CXS), and no alerts for those events under the reduced email option. CXS recommends receiving all emails because if emails are reduced a direct attack on the server may not send any alert. Since the URL doesn't exist, the kind of attack being referenced would only apply to a sheer high volume event like a DOS attack.

What I'm suggesting is an option on these "URL doesn't exist" upload attempts would be to only receive an email if XXX number of events occur in YYY minutes.

Here is a good reason for such an option. This morning I got about 100 such alerts. Some were probes for vulnerable WordPress URL's and some for vulnerable Joomla URL's. I use both frameworks. Should one hit a URL that DOES exist, it could be drowned out by the flood of URL doesn't exist alerts.

An option to just know if an extreme volume of such events were occurring would ensure I knew if a performance impacting event was taking place while still helping a more serious URL does exist alert from getting buried.

P.S. recently I've been getting hundreds of these and the IP address appears to never repeat, so I have nothing to base a ban on.

Post Reply