http://groups.google.com/group/ossec-list/browse_thread/thread/1fa288e494a7acc4#

The internal memory increase resolved the issue.

On Jul 18, 12:48 pm, BP9906 <[email protected]> wrote:
> I can confirm that by having the following rules, it works when
> testing using ossec-logtest but when I trigger the event manually on
> the systems with the agent, I get 3 of the same rule. Meaning Rule
> 100002 emails me 3 times, but Rule 100003 never alerts. But when I use
> Logtest 100003 alerts when it should.
>
>   <rule id="100001" level="1" >
>     <decoded_as>iplog</decoded_as>
>     <description>IPs</description>
>     <group>ipaddy,</group>
>   </rule>
>
>   <rule id="100002" level="9" frequency="4" timeframe="300">
>     <if_matched_group>ipaddy</if_matched_group>
>     <same_source_ip />
>     <description>Mult-Group ipaddy same IP - 6 in 5min</description>
>     <group>ipaddy,reoccurring,</group>
>   </rule>
>
>   <rule id="700003" level="11" frequency="16" timeframe="900">
>     <if_matched_group>ipaddy</if_matched_group>
>     <same_source_ip />
>     <description>Multiple ipaddy same IP - 18 in 15min</description>
>     <group>ipaddy,reoccurring,</group>
>   </rule>
>
> On Jul 15, 11:18 am, BP9906 <[email protected]> wrote:
>
>
>
>
>
>
>
> > Anyone have any suggestions to make the composite rules not agent
> > specific?
>
> > I get IP notifications from many servers and want to correlate them
> > for occurrence.
>
> > On Jul 13, 8:27 am, BP9906 <[email protected]> wrote:
>
> > > Did some more investigation and it seems like the if_matched_group is
> > > still only agent dependent, meaning even after rule 100001 records in
> > > alerts.log 10+ times from 5 different agents, the alert doesnt flag
> > > until its 6 times from the same agent (obviously with the same source
> > > ip). Seems like the logic in Ossec is broken.
>
> > > On Jul 11, 2:35 pm, BP9906 <[email protected]> wrote:
>
> > > > Here's the correct one:
>
> > > >   <rule id="100001" level="1" >
> > > >     <decoded_as>iplog</decoded_as>
> > > >     <description>IPs</description>
> > > >     <group>ipaddy,</group>
> > > >   </rule>
>
> > > >   <rule id="100002" level="9" frequency="4" timeframe="300">
> > > >     <if_matched_group>ipaddy</if_matched_group>
> > > >     <same_source_ip />
> > > >     <description>Mult-Group ipaddy same IP - 6 in 5min</description>
> > > >     <group>ipaddy,reoccurring,</group>
> > > >   </rule>
>
> > > >   <rule id="100003" level="7" frequency="4" timeframe="300">
> > > >     <if_matched_sid>100001</if_matched_sid>
> > > >     <same_source_ip />
> > > >     <description>Multiple ipaddy same IP - 6 in 5min</description>
> > > >     <group>ipaddy,reoccurring,</group>
> > > >   </rule>
>
> > > >   <rule id="100005" level="8" frequency="9" timeframe="600">
> > > >     <if_matched_sid>100001</if_matched_sid>
> > > >     <same_source_ip />
> > > >     <description>Multiple ipaddy same IP - 12 in 10min</description>
> > > >     <group>ipaddy,reoccurring,</group>
> > > >   </rule>

Reply via email to