title: Multiple Modsecurity Blocks
id: a06eea10-d932-4aa6-8ba9-186df72c8d23
status: stable
description: Detects multiple blocks by the mod_security module (Web Application Firewall)
author: Florian Roth
date: 2017/02/28
logsource:
    product: linux
    service: modsecurity
detection:
    selection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
    timeframe: 120m
    condition: selection
falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
level: medium
tags:
    - attack.impact
    - attack.t1499