----- Original Message ----- > Nevermind.... I don't know what happened. There must have been a > small > typo somewhere. I was trying to get this working with Active Response > and nothing would work. I at least got 5720 to trigger first and then > ended up re-writing the AR in ossec.conf and testing with another > rule > to make sure AR was working in general. Things appear to work, > although I haven't tested the 3 or 4 other rules I setup with AR yet. > Arg. > > On Feb 22, 2:42 pm, jplee3 <[email protected]> wrote: > > Has anybody done much testing with the frequency and timeframe > > parameters in various rulesets? > > > > I'm trying to get it to work with SSH logins and am having issues. > > > > This is in reference to alerts 5712 and 5720 specifically. > > > > The SSH server I'm testing this on is pretty busy - I noticed that > > the > > rules don't fire very frequently say if I set the frequency to 3 or > > 4 > > and the timeframe to 120. I am definitely failing 3-4 times within > > the > > 120 seconds but the alerts are not triggering. > > > > I currently have this setup in server-agent mode and previously had > > it > > working in local mode. > > > > Is there a limitation that the same message must be repeated 3-4 > > (or > > whatever I set the freq to) times in subsequent order and without > > 'interruption' (i.e. other messages popping up in between) in order > > to > > trigger? I noticed that if I fired off 4 quick logon failures I was > > able to get 5720 to fire. But I haven't been able to get it to fire > > again thus far. There are a lot of other messages that pop up in > > between. I would assume this shouldn't affect the alert though. > > > > Has anybody else tried/tested this or have it working in similar > > circumstances? > > > > TIA >
Have a read of my post about overriding a default rule as am having issues with timeframe and frequency. -- Thanks, Phil
