Hi all, I was wondering if anyone has had a lot of experience using higher frequencies and broader timeframes, and if you have run into any "limitations"
I currently have a rule setup to fire if there have been 1000 requests from the same source IP in a timeframe of 21600 seconds (6 hours). This is based on Apache logs (specifically GET requests) and we get quite a number of requests coming through from same IPs, so I know this should fire. Another thought is that we're constantly making changes to rules and restarting the OSSEC server throughout the day (at least between 8am-5pm), so I'm guessing, in the case that the 'counter' is reset on an OSSEC server restart, we'll never hit this threshold. However, there should never be any changes during the night, so I'm a bit puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess I'll have to look into lowering the thresholds either way. Just curious if anyone else has been successful with using larger numbers for frequency and timeframe.
