Here's some more useful information about frequency: http://marc.info/?l=ossec-list&m=129736702512080&w=2
On Tue, Feb 22, 2011 at 5:42 PM, jplee3 <[email protected]> wrote: > Has anybody done much testing with the frequency and timeframe > parameters in various rulesets? > > I'm trying to get it to work with SSH logins and am having issues. > > This is in reference to alerts 5712 and 5720 specifically. > > The SSH server I'm testing this on is pretty busy - I noticed that the > rules don't fire very frequently say if I set the frequency to 3 or 4 > and the timeframe to 120. I am definitely failing 3-4 times within the > 120 seconds but the alerts are not triggering. > > I currently have this setup in server-agent mode and previously had it > working in local mode. > > Is there a limitation that the same message must be repeated 3-4 (or > whatever I set the freq to) times in subsequent order and without > 'interruption' (i.e. other messages popping up in between) in order to > trigger? I noticed that if I fired off 4 quick logon failures I was > able to get 5720 to fire. But I haven't been able to get it to fire > again thus far. There are a lot of other messages that pop up in > between. I would assume this shouldn't affect the alert though. > > Has anybody else tried/tested this or have it working in similar > circumstances? > > > TIA
