Hi Willem,
If you are talking about firewall messages, a simple rule would work:
<rule id="100101" level="10" frequency="30" timeframe="45">
<if_matched_sid>4100</if_matched_sid>
<same_source_ip />
<description>Multiple Firewall events from same source ip.</description>
</rule>
*Note that if 4100 is the main firewall rule.
To alert on a connection on port 3000 from 191.12.33.100, you can do:
<rule id="100102" level="5">
<if_sid>4100</if_sid>
<srcport>3000</srcport>
<srcip>192.12.33.100</srcip>
<description>Firewall event on port 3000 from 191.12.33.100.</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Apr 3, 2008 at 4:27 AM, Willem Gerber <[EMAIL PROTECTED]> wrote:
> Hi List
>
> I have a question about rules.
>
> How do you set the intervals for some stuff say i get a connection from
> x amount of connections to my server from x if the connection exceed 300
> per minute there is
> something wrong and i need an allert to go out via ossec. Any ideas what
> a rule for this would look like ? Im trying to catch DoS so i log
> certain ports via iptables.
> And how would i match something like this in the log file ?
>
> Connection on port 3000 from 191.12.33.100
>
>
> Regards
> Willem gerber
>
