[ossec-list] Composite Rule Help

[--[ UxBoD ]--]

Hi,

I am attempting to write a suit of rules for Zimbra but have a issue with the 
composite rules.  Within my local_rules.xml I have:

<group name="zimbra,">
  <rule id="100100" level="0">
    <decoded_as>zimbra</decoded_as>
    <description>Zimbra Messages Grouped</description>
  </rule>

  <rule id="100101" level="3">
    <if_sid>100100</if_sid>
    <match>account not found$</match>
    <description>Account Unknown</description>
    <group>account_unknown,zimbra_failures,</group>
  </rule>

  <rule id="100102" level="3">
    <if_sid>100100</if_sid>
    <match>invalid password$</match>
    <description>Invalid Password</description>
    <group>invalid_password,</group>
  </rule>

  <rule id="100103" level="5">
    <if_sid>100100</if_sid>
    <match>preauth mismatch$</match>
    <description>Preauth Mismatch</description>
    <group>preauth_mismatch,zimbra_failures,</group>
  </rule>

<!-- Composite rules -->

  <rule id="100110" level="8" frequency="5" timeframe="30">
    <if_matched_group>zimbra_failures</if_matched_group>
    <same_source_ip />
    <description>Zimbra Multiple Failures</description>
  </rule>
</group>

Individually they are work fine; yet if I fire off 10 entries to the log file 
for preauth mismatch the composite rule does not alert.  Is there something 
glaringly wrong in my ruleset ?
-- 
Thanks, Phil