Jo, The book "OSSEC HIDS Host-Based Intrusion Detection Guide" (good book, I highly recommend you get it) has an example on page 135 that may help you.
In this example they only want a high alert if three rules are seen together within a time period. So you can create a rule that looks for the different messages you need to correlate, such as <rule id="100123" level="3"> <if_sid>xxxxx</if_sid> <id>yyyy|zzzz</id> </rule> where xxxx is the id of the rule that watches your logs, and yyyy and zzzz are the IDs of log messages that you want to correlate. (You could use <match> <regex> or any other tag type that's appropriate to identify the relevant log entries here.) Then create a composite rule that looks for multiple occurances of this new rule, such as <rule id="100555" level="10" frequency="3" timeframe="60"> <if_matched_sid>100123</if_matched_sid> <same_source_ip/> </rule> Now, if rule 100123 gets set off at least three times in one minute for the same IP, you'll trigger a level 10 alert. This solution isn't foolproof. It doesn't take into account the order in which the log entries arrive. If the two events happen to occur farther apart than 60 seconds, it won't trigger an alert, etc. OSSEC was designed (mostly) to be stateless. The composite rule feature is about the only area where the system takes an event's context into account. - Dave
