http://marc.info/?l=ossec-list&m=129736702512080&w=2
On Mon, Nov 28, 2011 at 5:36 PM, dan (ddp) <[email protected]> wrote: > On Mon, Nov 28, 2011 at 5:05 PM, Andreas Piesk <[email protected]> wrote: >> On 28.11.2011 21:01, dan (ddp) wrote: >>> >>> There isn't really a way at the moment. It's a problem I'm interested, >>> and I'm slowly coming up with a plan. >>> >>> I'm open to ideas if anyone has a good one. >> >> may not be a good one, but i'm thinking of something like: >> >> <rule id="1" level="7"> >> <if_sid>...</if_sid> >> <match>something</match> >> <description>something found</description> >> </rule> >> >> <rule id="2" level="5" frequency="1" timeframe="300" frequency_interval="60"> >> <reset_if_matched_sid>1</reset_if_matched_sid> >> <same_source_ip/> >> <description>"something" missed for the last 300s</description> >> </rule> >> >> frequency of rule 2 will be increased every "frequency_interval" seconds by >> 1. if it has "frequency" >> hits in "timeframe" seconds, it will fire. >> >> rule 1 is a standard rule and will reset "frequency" of the specified rule >> if it fires. >> >> reset_if_matched_sid is just an example, there should also be >> reset_if_matched_group, etc. >> >> i don't know if OSSEC already has an internal timer routine which could used >> for incrementing >> "frequency" based on "frequency_interval", i admit, i haven't looked at the >> code in detail yet. >> but maybe the whole idea is stupid and has flaws i'm not aware of. >> >> side from that: is there a reason why frequency must actually +2 to fire >> (frequency = 2 requires 4 >> hits)? the lowest possible value is 1 which means the rule needs 3 hits to >> fire, what if i want only >> 2 hits? >> > > I think there is a reason for it, and Daniel Cid's posted information > on why that is on this list in the past. I think you can actually put > a 0 in the frequency, but I haven't tried it. > >> regards, >> -ap >> >
