On Wed, Apr 5, 2017 at 4:45 PM, Rob Williams <tsinfosect...@gmail.com> wrote: > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to alert only once if the same > ID (filepath) has alerted in the past minute): > > <rule id="80100" level="7" frequency="2" timeframe="60" ignore="120"> > > <if_matched_sid>510</if_matched_sid> > > <same_id /> > > <description>This is meant to reduce noise as these events happen in > batches with not much difference in meaning.</description> > > </rule> > > > DECODER: > > > <decoder name="sample_decoder_setup"> > > <prematch>^(\.+) (\p/filepath\.+) </prematch> > > <regex>(/filepath/\.+/mnt/\.+/)</regex> > > <order>id</order> > > </decoder> > > > Logtest returns the id I am looking for to match and that part works fine. > It only gets to the first 2 steps though, and does not match it with a rule > in logtest. >
Well 510 won't match because it expects 509 to match. 509 won't match because it requires decoder "rootcheck" to match. Your decoder is taking priority apparently. Maybe if you made your decoder a child of rootcheck. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.