Hi Jakes, the first instance should trigger the normal rule, then the rule 70908 should ignore the event during 300 seconds. I didn't test it...
Let me know if it works. Regards. On Thursday, April 6, 2017 at 7:14:01 PM UTC+2, Jake B. wrote: > > Hi Jesus, > > Thanks for the reply. Would this also alert on the first instance of this? > I still do want to alert, but I want to avoid the spam that comes with it > as it typically happens in large batches with little to no difference in > meaning between the different events. > > Thanks! > > On Thursday, April 6, 2017 at 1:24:05 AM UTC-7, Jesus Linares wrote: >> >> Hi Jake, >> >> take a look at rule 511 >> <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>. >> >> It is the way to ignore a event coming from rule 510. You could do the same >> with a composite rule, it would be something like: >> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="300"> >> <if_matched_sid>510</if_matched_sid> >> <match>your_file</match> >> <description>Ignore rule 510 for 'your_file' during 300 seconds. >> </description> >> </rule> >> >> frequency=”0” would mean the rule must be matched 2 times (frequency is >> always +2 than the setting). >> level 0 will not generate an alert (for testing you could increase it). >> >> I hope it help. >> Regards. >> >> >> On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote: >>> >>> Hello, >>> >>> I have alerts coming in huge batches for rule 510. The batches of alerts >>> are essentially all the same event and the file path of the area that's >>> causing this is essentially identical in each batch except for the last >>> file. I'm trying to setup a rule that would look at the ID I setup in my >>> decoder, which is a file path that takes the path except for the last file >>> in order to match the batches of events. I want to alert only on the first >>> one and ignore the rest with that same ID for 5 minutes. First of all, does >>> the rule below look ok for this? Does frequency="0" work as I know the >>> frequency essentially adds 2 to it? Also, I'm having another issue with >>> this in particular is that ossec-logtest does not test this rule correctly >>> at all. Even when I paste the message, it doesn't even show up as something >>> that would trigger rule 510, which is what the alerts are coming as. So >>> that is also making it hard to troubleshoot this. Any ideas? Thanks! >>> >>> <rule id="70908" level="7" frequency="2" timeframe="45" ignore="300"> >>> <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as> >>> <same_id /> <description>*TEST* - Only alert on the first docker root event >>> for the same host and file path in a 60 second range.</description> >>> <description>*TEST* - This is meant to reduce noise as docker root events >>> typically happen in batches with not much difference in >>> meaning.</description> </rule> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
