Hi Dan , Thanks for the response . I am aware of the frequency and time frame options in the rule but it does not serve the purpose . Let me frame the requirement in a slightly different way .
Basically , we have 50 duplicate events generated within the period of 1 sec which we want to throttle down to 1 event per sec . This is to avoid having user investigate too many events . To achieve this , OSSEC will have to hold the said event *[ based on rule ID ] * for 1 sec and see how many such events arrive within the period of 1 sec . If the number goes beyond 50 , then post just one aggregated alert instead of 50 different ones. If that does not happen, then just release whatever is holded . Hope that helps. If there is any workaround in OSSEC to achieve this , it would really help to reduce the number of events . On Saturday, 8 July 2017 23:21:48 UTC+5:30, dan (ddpbsd) wrote: > > On Fri, Jul 7, 2017 at 8:07 AM, chintan shah <shahch...@gmail.com > <javascript:>> wrote: > > Hi Guys , > > > > Just wanted to check if anybody has an idea on how to throttle the > events in > > OSSEC . I have a situation where there are 20 duplicate alerts within a > > second and I would want to raise only 1 alert for that . Is there any > event > > throttling mechanism in OSSEC where only 1 event can be raised for the N > > number of events within a timeframe ? > > > > Look at the frequency and timeframe rule options. > > > Regads > > Chintan > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
