Hi Lars, Any rule with ID less then 100 are not defined in the rules configuration, because they are internally generated (In this case, it is from the stats module). It would be something similar to a snort preprocessor alert (if you have ever used snort).
Basically, ossec creates a baseline of the events and if the number of messages deviate from it, an alert is generated. There is *no way to change its default behavior, but you can configure ossec to do not alert on it. If you go to the "global" section of your config and set the "stats" option to 3 or 4, you will not see this alert anymore. To completely disable it, you can set the stats to 0 (zero). <global> .. <stats>3</stats> .. </global> *I was going to provide a link to the manual with more information, but the server where the site is hosted is down. *Next version will have more options in the configuration. Thanks -- Daniel B. Cid dcid @ ( at ) ossec.net On 6/16/06, Lars Scheithauer <[EMAIL PROTECTED]> wrote: > > Good Day, Everyone! > > I'm running a low-profile-webserver, where the connections are pretty jumpy > (100 more or fewer connections matters more if that's all you'll get in a day > or if you get those every second), therefore I'm getting a lot of these > messages: > > =============snipsnip============ > Received From: /var/log/apache2/access.log > Rule: 11 fired (level 8) -> "Excessive number of connections during this > hour." > Portion of the log(s): > > The average number of logs between 17:00 and 18:00 is 73. We reached 124.' > No Log Available (HOURLY_STATS) > =============snipsnip============ > > I'd like to tune that rule a bit, but I can't find a rule 11. Anyone knows > where that one is defined? > > Have a nice weekend, > Lars > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
