So I have an event that triggers for a custom decoder.
Decoder reads IP's written to a file.
<rule id="100001" level="1" >
<decoded_as>iplog</decoded_as>
<description>IPs</description>
<group>ipaddy,</group>
</rule>
<rule id="100002" level="9" frequency="4" timeframe="300">
<if_matched_group>ipaddy</if_matched_group>
<same_source_ip />
<description>Mult-Group ipaddy same IP - 6 in 5min</description>
<group>ipaddy,reoccurring,</group>
</rule>
<rule id="100003" level="7" frequency="4" timeframe="300">
<if_matched_sid>700001</if_matched_sid>
<same_source_ip />
<description>Multiple ipaddy same IP - 6 in 5min</description>
<group>ipaddy,reoccurring,</group>
</rule>
<rule id="100005" level="8" frequency="9" timeframe="600">
<if_matched_sid>700001</if_matched_sid>
<same_source_ip />
<description>Multiple ipaddy same IP - 12 in 10min</description>
<group>ipaddy,reoccurring,</group>
</rule>
Basically, Rule 100003 alerts when it should and 100005 does sometimes
too, but I dont trust 100005. 100002 never alerts.
I would expect 100002 to alert more often then the rest, but it never
alerts. Originally we wrote the rules 100003/5 but realized that when
we get the same IPs over multiple devices that the rule doesnt flag
(hence the need for if_matched_group instead of if_matched_sid).
I've played with alert levels and didnt seem to help. Any ideas?
