[jitsi-dev] jitsi-meet, nginx, ossec, High amount of POST requests in a small period of time


#1

Ahoi all,

Im running jitsi-meet, nginx with ossec- IDS.
http://ossec.github.io/

Doing a conference ossec is alarming:

OSSEC HIDS Notification.
2016 Jan 22 11:58:33

Received From: meet->/var/log/nginx/access.log
Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
period of time (likely bot)."
Portion of the log(s):

10.100.100.12 - - [22/Jan/2016:11:58:33 +0100] "POST /http-bind?
room=dangerousbugsextinguishslyly HTTP/1.1" 200 119 "https://meet.domain.tld/
DangerousBugsExtinguishSlyly" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:
43.0) Gecko/20100101 Firefox/43.0"
...
and block the client.

Is this a normal behavior that there are amount of POST requests?

tia
Stefan


#2

Depends on what the amount is. I see around 10 POST requests (all of them BOSH) while initially connecting to a conference. This is normal.

Regards,
Boris

···

On 22/01/16 06:46, Stefan Fuhrmann wrote:

Ahoi all,

Im running jitsi-meet, nginx with ossec- IDS.
http://ossec.github.io/

Doing a conference ossec is alarming:

OSSEC HIDS Notification.
2016 Jan 22 11:58:33

Received From: meet->/var/log/nginx/access.log
Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
period of time (likely bot)."
Portion of the log(s):

10.100.100.12 - - [22/Jan/2016:11:58:33 +0100] "POST /http-bind?
room=dangerousbugsextinguishslyly HTTP/1.1" 200 119 "https://meet.domain.tld/
DangerousBugsExtinguishSlyly" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:
43.0) Gecko/20100101 Firefox/43.0"
...
and block the client.

Is this a normal behavior that there are amount of POST requests?


#3

Hello Boris,

···

Am Friday 22 January 2016, 09:04:00 schrieb Boris Grozev:

On 22/01/16 06:46, Stefan Fuhrmann wrote:
> Ahoi all,
>
> Im running jitsi-meet, nginx with ossec- IDS.
> http://ossec.github.io/
>
> Doing a conference ossec is alarming:
>
> OSSEC HIDS Notification.
> 2016 Jan 22 11:58:33
>
> Received From: meet->/var/log/nginx/access.log
> Rule: 31533 fired (level 10) -> "High amount of POST requests in a small
> period of time (likely bot)."
> Portion of the log(s):
>
> 10.100.100.12 - - [22/Jan/2016:11:58:33 +0100] "POST /http-bind?
> room=dangerousbugsextinguishslyly HTTP/1.1" 200 119
> "https://meet.domain.tld/ DangerousBugsExtinguishSlyly" "Mozilla/5.0
> (X11; Ubuntu; Linux x86_64; rv: 43.0) Gecko/20100101 Firefox/43.0"
> ...
> and block the client.
>
> Is this a normal behavior that there are amount of POST requests?

Depends on what the amount is. I see around 10 POST requests (all of
them BOSH) while initially connecting to a conference. This is normal.

okay thanks for help!

Stefan