http://groups.google.com/group/ossec-list/browse_thread/thread/1fa288e494a7acc4#
The internal memory increase resolved the issue. On Jul 18, 12:48 pm, BP9906 <[email protected]> wrote: > I can confirm that by having the following rules, it works when > testing using ossec-logtest but when I trigger the event manually on > the systems with the agent, I get 3 of the same rule. Meaning Rule > 100002 emails me 3 times, but Rule 100003 never alerts. But when I use > Logtest 100003 alerts when it should. > > <rule id="100001" level="1" > > <decoded_as>iplog</decoded_as> > <description>IPs</description> > <group>ipaddy,</group> > </rule> > > <rule id="100002" level="9" frequency="4" timeframe="300"> > <if_matched_group>ipaddy</if_matched_group> > <same_source_ip /> > <description>Mult-Group ipaddy same IP - 6 in 5min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > <rule id="700003" level="11" frequency="16" timeframe="900"> > <if_matched_group>ipaddy</if_matched_group> > <same_source_ip /> > <description>Multiple ipaddy same IP - 18 in 15min</description> > <group>ipaddy,reoccurring,</group> > </rule> > > On Jul 15, 11:18 am, BP9906 <[email protected]> wrote: > > > > > > > > > Anyone have any suggestions to make the composite rules not agent > > specific? > > > I get IP notifications from many servers and want to correlate them > > for occurrence. > > > On Jul 13, 8:27 am, BP9906 <[email protected]> wrote: > > > > Did some more investigation and it seems like the if_matched_group is > > > still only agent dependent, meaning even after rule 100001 records in > > > alerts.log 10+ times from 5 different agents, the alert doesnt flag > > > until its 6 times from the same agent (obviously with the same source > > > ip). Seems like the logic in Ossec is broken. > > > > On Jul 11, 2:35 pm, BP9906 <[email protected]> wrote: > > > > > Here's the correct one: > > > > > <rule id="100001" level="1" > > > > > <decoded_as>iplog</decoded_as> > > > > <description>IPs</description> > > > > <group>ipaddy,</group> > > > > </rule> > > > > > <rule id="100002" level="9" frequency="4" timeframe="300"> > > > > <if_matched_group>ipaddy</if_matched_group> > > > > <same_source_ip /> > > > > <description>Mult-Group ipaddy same IP - 6 in 5min</description> > > > > <group>ipaddy,reoccurring,</group> > > > > </rule> > > > > > <rule id="100003" level="7" frequency="4" timeframe="300"> > > > > <if_matched_sid>100001</if_matched_sid> > > > > <same_source_ip /> > > > > <description>Multiple ipaddy same IP - 6 in 5min</description> > > > > <group>ipaddy,reoccurring,</group> > > > > </rule> > > > > > <rule id="100005" level="8" frequency="9" timeframe="600"> > > > > <if_matched_sid>100001</if_matched_sid> > > > > <same_source_ip /> > > > > <description>Multiple ipaddy same IP - 12 in 10min</description> > > > > <group>ipaddy,reoccurring,</group> > > > > </rule>
