What's rule 700001? I don't see anyone wrong really, but I haven't played with the if_matched_ options much.
On Mon, Jul 11, 2011 at 3:47 PM, BP9906 <[email protected]> wrote: > So I have an event that triggers for a custom decoder. > > Decoder reads IP's written to a file. > > <rule id="100001" level="1" > > <decoded_as>iplog</decoded_as> > <description>IPs</description> > <group>ipaddy,</group> > </rule> > > <rule id="100002" level="9" frequency="4" timeframe="300"> > <if_matched_group>ipaddy</if_matched_group> > <same_source_ip /> > <description>Mult-Group ipaddy same IP - 6 in 5min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > <rule id="100003" level="7" frequency="4" timeframe="300"> > <if_matched_sid>700001</if_matched_sid> > <same_source_ip /> > <description>Multiple ipaddy same IP - 6 in 5min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > <rule id="100005" level="8" frequency="9" timeframe="600"> > <if_matched_sid>700001</if_matched_sid> > <same_source_ip /> > <description>Multiple ipaddy same IP - 12 in 10min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > Basically, Rule 100003 alerts when it should and 100005 does sometimes > too, but I dont trust 100005. 100002 never alerts. > > I would expect 100002 to alert more often then the rest, but it never > alerts. Originally we wrote the rules 100003/5 but realized that when > we get the same IPs over multiple devices that the rule doesnt flag > (hence the need for if_matched_group instead of if_matched_sid). > > I've played with alert levels and didnt seem to help. Any ideas?
