Try to increase the maximum number of events stored in memory. By default it is 1024 and for you case, you would need a much larger number (maybe 90k or something like that).
Just edit memory_size in the global config : <memory_size>90000</memory_size> thanks, On Thu, Jul 28, 2011 at 5:44 PM, jplee3 <[email protected]> wrote: > Hi all, > > I was wondering if anyone has had a lot of experience using higher > frequencies and broader timeframes, and if you have run into any > "limitations" > > I currently have a rule setup to fire if there have been 1000 requests > from the same source IP in a timeframe of 21600 seconds (6 hours). > This is based on Apache logs (specifically GET requests) and we get > quite a number of requests coming through from same IPs, so I know > this should fire. > > Another thought is that we're constantly making changes to rules and > restarting the OSSEC server throughout the day (at least between > 8am-5pm), so I'm guessing, in the case that the 'counter' is reset on > an OSSEC server restart, we'll never hit this threshold. However, > there should never be any changes during the night, so I'm a bit > puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess > I'll have to look into lowering the thresholds either way. > > Just curious if anyone else has been successful with using larger > numbers for frequency and timeframe. >
