I can confirm that by having the following rules, it works when
testing using ossec-logtest but when I trigger the event manually on
the systems with the agent, I get 3 of the same rule. Meaning Rule
100002 emails me 3 times, but Rule 100003 never alerts. But when I use
Logtest 100003 alerts when it should.
<rule id="100001" level="1" >
<decoded_as>iplog</decoded_as>
<description>IPs</description>
<group>ipaddy,</group>
</rule>
<rule id="100002" level="9" frequency="4" timeframe="300">
<if_matched_group>ipaddy</if_matched_group>
<same_source_ip />
<description>Mult-Group ipaddy same IP - 6 in 5min</description>
<group>ipaddy,reoccurring,</group>
</rule>
<rule id="700003" level="11" frequency="16" timeframe="900">
<if_matched_group>ipaddy</if_matched_group>
<same_source_ip />
<description>Multiple ipaddy same IP - 18 in 15min</description>
<group>ipaddy,reoccurring,</group>
</rule>
On Jul 15, 11:18 am, BP9906 <[email protected]> wrote:
> Anyone have any suggestions to make the composite rules not agent
> specific?
>
> I get IP notifications from many servers and want to correlate them
> for occurrence.
>
> On Jul 13, 8:27 am, BP9906 <[email protected]> wrote:
>
>
>
>
>
>
>
> > Did some more investigation and it seems like the if_matched_group is
> > still only agent dependent, meaning even after rule 100001 records in
> > alerts.log 10+ times from 5 different agents, the alert doesnt flag
> > until its 6 times from the same agent (obviously with the same source
> > ip). Seems like the logic in Ossec is broken.
>
> > On Jul 11, 2:35 pm, BP9906 <[email protected]> wrote:
>
> > > Here's the correct one:
>
> > > <rule id="100001" level="1" >
> > > <decoded_as>iplog</decoded_as>
> > > <description>IPs</description>
> > > <group>ipaddy,</group>
> > > </rule>
>
> > > <rule id="100002" level="9" frequency="4" timeframe="300">
> > > <if_matched_group>ipaddy</if_matched_group>
> > > <same_source_ip />
> > > <description>Mult-Group ipaddy same IP - 6 in 5min</description>
> > > <group>ipaddy,reoccurring,</group>
> > > </rule>
>
> > > <rule id="100003" level="7" frequency="4" timeframe="300">
> > > <if_matched_sid>100001</if_matched_sid>
> > > <same_source_ip />
> > > <description>Multiple ipaddy same IP - 6 in 5min</description>
> > > <group>ipaddy,reoccurring,</group>
> > > </rule>
>
> > > <rule id="100005" level="8" frequency="9" timeframe="600">
> > > <if_matched_sid>100001</if_matched_sid>
> > > <same_source_ip />
> > > <description>Multiple ipaddy same IP - 12 in 10min</description>
> > > <group>ipaddy,reoccurring,</group>
> > > </rule>
