Greetings:
You don't mention which rule is kicking off, but let's say it is as
follows from /var/ossec/rules/proftpd_rules.xml
<rule id="11251" level="10" frequency="6" timeframe="120">
<if_matched_sid>11204</if_matched_sid>
<same_source_ip />
<description>FTP brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
If the rule has an adjuster such as timeframe (in the case of the
proftpd rules), then you can copy the rule set and edit /var/ossec/
rules/local_rules.xml and change the timeframe to a higher number.
Then restart ossec with
/var/ossec/bin/ossec-control restart
Thank you.
