Turns out that you need to have it set to be logged, so level 1 or higher otherwise the if_matched_sid frequency will never fire - seems like it's depending on the alert being logged in order to properly function.
On Jul 7, 10:19 am, Jeremy Lee <[email protected]> wrote: > Thanks for the suggestion. I tried this out briefly and it doesn't seem to > work. The rule that triggers is the upper but I never saw the lower trigger. > > On Thu, Jul 7, 2011 at 10:07 AM, Jason 'XenoPhage' Frisvold < > > > > > > > > [email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > On 07/06/2011 08:15 PM, jplee3 wrote: > > > One other question I have regarding frequency rules and hierarchy. We > > > currently have two frequency rules setup to trigger against a parent > > > rule where the difference is the frequencies - one is set to trigger > > > when it sees the parent rule triggered 6 or more times in a minute. > > > The other is set to trigger when it sees the parent rule triggered 12 > > > or more times in 5 minutes. The problem is that the 12x in 5min rule > > > never triggers. It seems that the 6x per minute rule supersedes it > > > always. Is there a way to get the second "upper" threshold rule to > > > trigger as well? > > > > I thought I read somewhere about something like this being > > > implemented... like chaining frequency rules. Unfortunately, I don't > > > recall where exactly I saw this. Maybe someone can refresh my memory > > > and point me in the right direction? > > > Might this work similar to how the active responses work? ie, put the > > higher trigger before the lower one. So if the 6x trigger is rule 10005 > > and the 12x is 10015, then flip the sids putting the 12x first. > > > > TIA! > > > - -- > > - --------------------------- > > Jason 'XenoPhage' Frisvold > > [email protected] > > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology." > > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2.0.17 (GNU/Linux) > > Comment: Using GnuPG with Fedora -http://enigmail.mozdev.org/ > > > iEYEARECAAYFAk4V59AACgkQ8CjzPZyTUTS3sgCeIb1D+odL3NYxbfajoPeak6LL > > xN4AnigPguIPFNnWGqbOk+trtfuZmEdV > > =Mjh0 > > -----END PGP SIGNATURE-----
