Did some more investigation and it seems like the if_matched_group is still only agent dependent, meaning even after rule 100001 records in alerts.log 10+ times from 5 different agents, the alert doesnt flag until its 6 times from the same agent (obviously with the same source ip). Seems like the logic in Ossec is broken.
On Jul 11, 2:35 pm, BP9906 <[email protected]> wrote: > Here's the correct one: > > <rule id="100001" level="1" > > <decoded_as>iplog</decoded_as> > <description>IPs</description> > <group>ipaddy,</group> > </rule> > > <rule id="100002" level="9" frequency="4" timeframe="300"> > <if_matched_group>ipaddy</if_matched_group> > <same_source_ip /> > <description>Mult-Group ipaddy same IP - 6 in 5min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > <rule id="100003" level="7" frequency="4" timeframe="300"> > <if_matched_sid>100001</if_matched_sid> > <same_source_ip /> > <description>Multiple ipaddy same IP - 6 in 5min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > <rule id="100005" level="8" frequency="9" timeframe="600"> > <if_matched_sid>100001</if_matched_sid> > <same_source_ip /> > <description>Multiple ipaddy same IP - 12 in 10min</description> > <group>ipaddy,reoccurring,</group> > </rule>
