(mode scoring) ; scoring, retry, instant

(var 
    (score 100u)
    (search/window 600)
    (bantime 500)
)

(uses 
    (set "nginx_http_auth" '("httpauth"))
    (set "nginx_general_errors" '("http_errors"))
    (set "nginx_http" '("http_40x" "http_444"))
    (set "all" '()) ; if non declared means ALL
)

(use "all")


;; Ruleset for nginx_errors.log
(ruleset "httpauth"
    (any
        (regex "^\[error\] \d+#\d+:\s\*\d+ user \"<short:username>\" (?:password mismatch|was not found in \"<short:fspath>\"), client: <tag:host>, server: \S*, request: \"\S+ \S+ HTTP/\d+\.\d+\", host: \"\S+\"(?:, referrer: \"\S+\")?\s*$"
            (severity 20u)
            (descr "comment: http auth btuteforce")
        )
    )
)

(ruleset "http_errors"
    (any
        (regex "^\[error\] \d+#\d+:\s\*\d+ (?:\S+ )?\"<short:fspath_fast>\" (?:failed|is not found) \(2: No such file or directory\), client: <tag:host>,.+$"
            (severity 10u)
            (descr "comment: no such file or directory")
        )
    )
)

;; Ruleset for nginx_http.log
(ruleset "http_40x"
    (any
        (regex "^\"(GET|POST|HEAD) \S+ \S+\" 40[0-4] .+$"
            (severity 10u)
            (descr "comment: http code 40[0-4]")
        )
    )
) 

(ruleset "http_444"
    (any
        (regex "^\"(GET|POST|HEAD|CONNECT) \S+ \S+\" 444 .+$"
            (severity 10u)
            (descr "comment: http code 444")
        )
    )
) 




;^\[error\] \d+#\d+:\s\*\d+ user "(?:\S*)" (?:password mismatch|was not found in "(?:(?:\.|\.\.|\/)[\/a-zA-Z0-9_\-\.]*)"), client: (([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(([a-fA-F0-9:]+:*?))), server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$