Actually, I came across this unanswered FAQ: "Why does my frequency rule get triggered by 8 events when frequency is set to 6"
And I'm wondering, if frequency rules are triggered by the 8th event when the frequency is 6, would that mean the same ratio if my frequency is set to 1000 or even 200? Using that logic, I should lower the frequency to 750 if I really want to trigger on 1000 events, and 150 if I want to trigger 200 events. Can anyone confirm or deny this? On Jul 28, 1:44 pm, jplee3 <[email protected]> wrote: > Hi all, > > I was wondering if anyone has had a lot of experience using higher > frequencies and broader timeframes, and if you have run into any > "limitations" > > I currently have a rule setup to fire if there have been 1000 requests > from the same source IP in a timeframe of 21600 seconds (6 hours). > This is based on Apache logs (specifically GET requests) and we get > quite a number of requests coming through from same IPs, so I know > this should fire. > > Another thought is that we're constantly making changes to rules and > restarting the OSSEC server throughout the day (at least between > 8am-5pm), so I'm guessing, in the case that the 'counter' is reset on > an OSSEC server restart, we'll never hit this threshold. However, > there should never be any changes during the night, so I'm a bit > puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess > I'll have to look into lowering the thresholds either way. > > Just curious if anyone else has been successful with using larger > numbers for frequency and timeframe.
