Thank you very much :D thats excatly what i was looking for :D
Daniel Cid wrote:
> Hi Willem,
>
> If you are talking about firewall messages, a simple rule would work:
>
> <rule id="100101" level="10" frequency="30" timeframe="45">
> <if_matched_sid>4100</if_matched_sid>
> <same_source_ip />
> <description>Multiple Firewall events from same source ip.</description>
> </rule>
>
> *Note that if 4100 is the main firewall rule.
>
> To alert on a connection on port 3000 from 191.12.33.100, you can do:
>
> <rule id="100102" level="5">
> <if_sid>4100</if_sid>
> <srcport>3000</srcport>
> <srcip>192.12.33.100</srcip>
> <description>Firewall event on port 3000 from 191.12.33.100.</description>
> </rule>
>
>
> Hope it helps.
>
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
>
> On Thu, Apr 3, 2008 at 4:27 AM, Willem Gerber <[EMAIL PROTECTED]> wrote:
>
>> Hi List
>>
>> I have a question about rules.
>>
>> How do you set the intervals for some stuff say i get a connection from
>> x amount of connections to my server from x if the connection exceed 300
>> per minute there is
>> something wrong and i need an allert to go out via ossec. Any ideas what
>> a rule for this would look like ? Im trying to catch DoS so i log
>> certain ports via iptables.
>> And how would i match something like this in the log file ?
>>
>> Connection on port 3000 from 191.12.33.100
>>
>>
>> Regards
>> Willem gerber
>>
>>
>
>
--
Avoid the Gates of Hell. Use Linux
-- unknown source
begin:vcard
fn:Willem Gerber
n:Gerber;Willem
email;internet:[EMAIL PROTECTED]
note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A=
=0D=0A=
www.e-destiny.co.za=0D=0A=
=0D=0A=
011 695 5500 phone=0D=0A=
086 660 2933 fax
x-mozilla-html:TRUE
version:2.1
end:vcard
