On 28.11.2011 21:01, dan (ddp) wrote: > > There isn't really a way at the moment. It's a problem I'm interested, > and I'm slowly coming up with a plan. > > I'm open to ideas if anyone has a good one.
may not be a good one, but i'm thinking of something like: <rule id="1" level="7"> <if_sid>...</if_sid> <match>something</match> <description>something found</description> </rule> <rule id="2" level="5" frequency="1" timeframe="300" frequency_interval="60"> <reset_if_matched_sid>1</reset_if_matched_sid> <same_source_ip/> <description>"something" missed for the last 300s</description> </rule> frequency of rule 2 will be increased every "frequency_interval" seconds by 1. if it has "frequency" hits in "timeframe" seconds, it will fire. rule 1 is a standard rule and will reset "frequency" of the specified rule if it fires. reset_if_matched_sid is just an example, there should also be reset_if_matched_group, etc. i don't know if OSSEC already has an internal timer routine which could used for incrementing "frequency" based on "frequency_interval", i admit, i haven't looked at the code in detail yet. but maybe the whole idea is stupid and has flaws i'm not aware of. side from that: is there a reason why frequency must actually +2 to fire (frequency = 2 requires 4 hits)? the lowest possible value is 1 which means the rule needs 3 hits to fire, what if i want only 2 hits? regards, -ap
