I have the same issue. I have a custom decoder, and 2 composite (frequency/reoccurring) rules. The first composite rule matches properly, even when testing with ossec-logtest.
I'm trying to match the same IP for a lower bound threshold and an upper bound thresdhold. Example: 10 in 3 minutes 20 in 10 minutes The 10 in 3 minutes flags properly (and I've considered the info you provided about how the counting actually works... set it to 8, so on the 10th time it actually alerts). If I test the event 20 times quickly, I end up with the 2 3min alerts and not 1 3min and 1 10min. (http://marc.info/?l=ossec-list&m=129736702512080&w=2) With the above considered, I went as far as removing the 20 in 10 and using a group. I labeled the "10 in 3 minutes" as <group>3min</group>. Then created a rule that does <if_matched_group>3min</ if_matched_group> (with <same_source_ip />) and that rule never flags either. It seems as though OSSEC is very top down and once an event goes down a different path, it never continues for composite rules (atomic rules they do). I thought the group alerting would help or be an independent list, but it appears to not be. I tried adding the <if_group> with the <if_matched_group> because it seems there's a dependency there, but that didnt help. (<if_group>syslog</if_group>) Any light you can shed on composite rule functions and group alerts would be beneficial to all. Thank you! On May 27, 6:45 am, Denis Gasparin <[email protected]> wrote: > I tested with frequency=0. The alarm is triggered at the receival of the > second line but the email with the alarms contains only the last row and not > the first (that with the error)... :-( > > Denis > > ----- Messaggio originale ----- > > Da: "Denis Gasparin" <[email protected]> > A: [email protected] > Cc: [email protected] > Inviato: Venerdì, 27 maggio 2011 15:33:44 > Oggetto: Re: [ossec-list] Help on composite rules > > From what I read, I should set frequency to 0 in order to get the alarm every > 2 events. I'll try and let you know.. > > The 1005001 fires. > > Thank you > Denis > > Il giorno 27/mag/2011, alle ore 14:22, "dan (ddp)" <[email protected]> ha > scritto: > > > > > > > > > Does 100501 fire? > > > It may be a "frequency" issue, take a look at the following thread, it > > may be useful: > >http://marc.info/?l=ossec-list&m=129736702512080&w=2 > > > On Thu, May 26, 2011 at 4:28 PM, Denis Gasparin > > <[email protected]> wrote: > > >> Hi to all. > > >> We have a postgresql installation that writes two lines for every query > >> error. For example after executing the query "select * from > >> unexistant_table", the postgresql log file has the following two lines: > > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > >> exist > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > > >> We need to send an alert for every query error with attached the relative > >> "STATEMENT". > > >> Because our postgres log format is different from that bundled with ossec, > >> we wrote our decoder and our rules. > > >> The decoder (edistar_pgsql) works fine. The rules works ok for single > >> events. > >> For sending the previous two lines within the same alert we created a > >> composite rule with a very restricted timeframe, so the two events will be > >> grouped together. He are the relevant rules written so far: > > >> <group name="edistar_pgsql,"> > >> <rule id="100500" level="0"> > >> <decoded_as>edistar_postgresql</decoded_as> > >> <description>Edistar PostgreSQL messages grouped.</description> > >> </rule> > > >> <rule id="100501" level="4"> > >> <if_sid>100500</if_sid> > >> <status>ERROR|STATEMENT</status> > >> <description>PostgreSQL error message and relative > >> statement.</description> > >> <group>pgsql_query_failures,</group> > >> </rule> > > >> <rule id="100502" level="8" frequency="2" timeframe="1" ignore="0"> > >> <if_matched_group>pgsql_query_failures</if_matched_group> > >> <description>PostgreSQL error message. Query attached.</description> > >> </rule > >> </group> > > >> The composite rule does not work as expected. In order to trigger it, two > >> query error must be generated in the timeframe, so the log would be: > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > >> exist > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-17] > >> user@ossec([local]) SELECT ERROR: relation "unexistant_table" does not > >> exist > >> May 26 20:11:46 test_machine postgres: 22495[4dde97bd.57df-18] > >> user@ossec([local]) SELECT STATEMENT: select * from unexistant_table; > > >> In this case OSSEC would generate an alert with only two lines (the second > >> and the third). > > >> Can you help me? Is there another way to get the correct result? > > >> Thank you in advance for your help, > >> Denis > >> Inviato da iPad
