-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
I think ignore specifies the time after the alert fires during which a repeat of the alert will not fire. So for this rule, after 5712 fires it will not fire again (for the same IP I believe) for 60 seconds. This is designed to prevent flooding. Justin C. Klein Keane Sr. Information Security Specialist Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St. Room 520 Philadelphia, PA 19104 215.898.0236(p) 215.573.3166(f) The digital signature on this e-mail can be confirmed using the public key at https://www.sas.upenn.edu/computing/user/3. On 07/06/2010 10:32 PM, Tim Nicholas wrote: > Hi, > > I'm new to ossec and I'm wondering where I should be looking to get > information > on rule syntax and options. For example, I don't know what the 'ignore' part > of > '<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> > <rule id=... ignore="60">' actually does. > > I've tried to find it on the website and wiki but I'm can't find anything. > > > Cheers, > Tim > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkw0erAACgkQR4a3EW2yjlTGJQCeMo/LeoKY1yNgwaGk942z60rJ pqMAnjIseCyMN6uu/f9PiI+keY+xjqOb =HGCS -----END PGP SIGNATURE-----
