Anyone have any suggestions to make the composite rules not agent specific?
I get IP notifications from many servers and want to correlate them for occurrence. On Jul 13, 8:27 am, BP9906 <[email protected]> wrote: > Did some more investigation and it seems like the if_matched_group is > still only agent dependent, meaning even after rule 100001 records in > alerts.log 10+ times from 5 different agents, the alert doesnt flag > until its 6 times from the same agent (obviously with the same source > ip). Seems like the logic in Ossec is broken. > > On Jul 11, 2:35 pm, BP9906 <[email protected]> wrote: > > > > > > > > > Here's the correct one: > > > <rule id="100001" level="1" > > > <decoded_as>iplog</decoded_as> > > <description>IPs</description> > > <group>ipaddy,</group> > > </rule> > > > <rule id="100002" level="9" frequency="4" timeframe="300"> > > <if_matched_group>ipaddy</if_matched_group> > > <same_source_ip /> > > <description>Mult-Group ipaddy same IP - 6 in 5min</description> > > <group>ipaddy,reoccurring,</group> > > </rule> > > > <rule id="100003" level="7" frequency="4" timeframe="300"> > > <if_matched_sid>100001</if_matched_sid> > > <same_source_ip /> > > <description>Multiple ipaddy same IP - 6 in 5min</description> > > <group>ipaddy,reoccurring,</group> > > </rule> > > > <rule id="100005" level="8" frequency="9" timeframe="600"> > > <if_matched_sid>100001</if_matched_sid> > > <same_source_ip /> > > <description>Multiple ipaddy same IP - 12 in 10min</description> > > <group>ipaddy,reoccurring,</group> > > </rule>
