Hi Peter, Can you paste some of the alerts you got, just to give us some context? Your rule seems fine and it should have worked by ignoring the rule for 900 seconds (unless we have a bug).
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Jan 30, 2010 at 12:56 PM, Peter M. Abraham <peter.abra...@dynamicnet.net> wrote: > Greetings: > > From time to time I get bombarded with several hundred " FTP brute > force (multiple failed logins)" rule 11510 and " Multiple connection > attempts from same source" 11511 alerts. > > I've been trying to rewrite the rule so I don't get notifications of > the same attacker several hundred times. > > This is what I have tried last: > > <rule id="11510" level="13" frequency="10" timeframe="360" > ignore="900" overwrite="yes"> > <if_matched_sid>11502</if_matched_sid> > <description>FTP brute force (multiple failed logins).</ > description> > <group>authentication_failures,</group> > </rule> > > <rule id="11511" level="10" frequency="10" timeframe="30" > ignore="900" overwrite="yes"> > <if_matched_sid>11501</if_matched_sid> > <same_source_ip /> > <description>Multiple connection attempts from same source.</ > description> > <group>recon,</group> > </rule> > > > Yet, when I got up this morning, close to 400 alerts (combined for the > above two rules) all from 61.136.188.83 trying to brute force FTP on > the same physical server. > > If I understand the ignore correctly, the 900 would be 900 seconds or > 15 minutes; and yet most of the alerts were within one to five minutes > apart. > > What do I need to change so that within a 15-minute period, I do not > receive the alert more than once for the same attacking IP address? > > Thank you. >
