Hmm, so I stumbled across this thread: http://www.mail-archive.com/[email protected]/msg04619.html
And it sounds like at least one other person ran into the same issue. We had to enable a log level of 1 in order to get things working as it seems a log level of 0 does not work in conjunction with frequency rules. I find this a bit odd still... One other question I have regarding frequency rules and hierarchy. We currently have two frequency rules setup to trigger against a parent rule where the difference is the frequencies - one is set to trigger when it sees the parent rule triggered 6 or more times in a minute. The other is set to trigger when it sees the parent rule triggered 12 or more times in 5 minutes. The problem is that the 12x in 5min rule never triggers. It seems that the 6x per minute rule supersedes it always. Is there a way to get the second "upper" threshold rule to trigger as well? I thought I read somewhere about something like this being implemented... like chaining frequency rules. Unfortunately, I don't recall where exactly I saw this. Maybe someone can refresh my memory and point me in the right direction? TIA! On Jul 5, 6:26 pm, Jason Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Jul 5, 2011, at 2:36 PM, jplee3 wrote: > > > Hey guys, > > > I thought that even if you specificy an alert level of "0" for a rule, > > you can still setup frequency rules to trigger - is this the case? We > > want to cut down on noise a bit and are just looking for repetition of > > IPs amidst the noise if at all. > > That would be my understanding as well. Set the level to 0 then have a > compound rule that uses an if_matched_sid for the level 0 sid .. > > > TIA > > Jeremy > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > iEYEARECAAYFAk4TudwACgkQ8CjzPZyTUTTbpACgi+o8vkMLeBNnuKLd7LIKNGOk > XIYAoKGvSBW//Z0vcN3O2Ha0q0DjVzhp > =DEIp > -----END PGP SIGNATURE-----
