[ossec-list] rule triggering question

[jflowers]

I am trying to configure ossec-hids as protection of a mail spam-
filter gateway from distributed zombie pc attacks.  In this type of
attack multiple PCs are used to flood the server with smtp
connections.  Sendmails anti-spam check_* macros protect against this
but I want to block/tarpit the IP address of repeat offenders at the
firewall, if only to reduce the size of my logs.  As these can arrive
at the rate of hundreds of connections per second time for detection
and blocking is critical.  Currently I am using rules that do this on
a FreeBSD 6.3 system with the ossec-hids 1.4 port (rules shown at the
end of this post).

It works quite well (I think) and with a multiple threshhold of 5 on
'Connection rate limit exceeded' is able to detect in about 30 seconds
and block in another 10 seconds (the sendmail rule triggers at client
connection rates exceeding 10 per second).  A lower theshhold could
cut the total time in half.

What I don't quite understand from the alerts.log is that I seem to be
missing quite a few single event triggers, based on comparing against
the maillog records.  Here is a typical burst:

IP:81.97.101.160
----------------
 maillog   seconds
 --------  -------
 14:31:23
*14:31:29    6
*14:31:32    3
 14:31:34
 14:31:34
*14:31:38    6
 14:31:39
 14:31:39
 14:31:40
 14:31:44
*14:31:45    7
 14:31:45
*14:31:46    1
*14:31:49
 14:31:50
 14:31:50
 14:31:51
 14:31:55    9

* indicates also in alerts.log
Took 23  seconds to detect. 9 more to block

8 single events, recorded in maillog were not detected by ossec-hids
prior to
firing the multiple rule (threshold 5).  Another way of looking at it
is that
if all the events had been detected and counted, time to multiple rule
trigger would have been reduced from 23 seconds to 11 seconds.

Why, when the log is not being analyzed in real time, should events be
missed?  Not complaining, just trying to understand.

Rules follow:
---------------------------------------------------------------------------
<rule id="100050" level="5">
    <if_sid>3101</if_sid>
    <match>reject=421 4.3.2</match>
    <description>Connection rate limit exceeded.</description>
    <group>spam,</group>
</rule>

<rule id="100052" level="10" frequency="5" timeframe="60">
    <if_matched_sid>100050</if_matched_sid>
    <same_source_ip />
    <description>Multiple connection rate limit exceeded. </
description>
    <group>multiple_spam,</group>
  </rule>
---------------------------------------------------------------------------