I still seem to get combined emails sometimes, even though I have set
maild.groupping=0. I also increased my <email_maxperhour> to 6000 to make
sure that wasn't getting in the way.
It seems to mostly occur with rule 5720 (multiple SSHD auth failures) or my
local rule 101002 which tries to only send an alert when 1002 is matched 3
or more times in 6 minutes:
<!-- Ignore mistyped passwords until 3rd occurrence -->
<rule id="101002" level="4" frequency="3" timeframe="360">
<if_matched_sid>1002</if_matched_sid>
<match>Failed to authenticate user</match>
<options>alert_by_email</options>
<description>User authentication failure.</description>
</rule>
The emails I get make it appear that OSSEC is considering failures on ALL
hosts within that timeframe, as opposed to just on a single host.
I don't necessarily care if UserA mistyped their password on HostA twice
within a couple minutes of UserB mistyping their password on HostB. Is it
possible to adjust this behavior - to force a rule to apply on a per-host
basis?
If not, can I at least force it to appear as a "multi-host" match of some
sort? Currently, OSSEC shows the rule as being "Received From: " the last
host that had a log entry which triggered the rule. I'd like to be able to
sort these differently - if the "last" host was a sandbox machine, I might
inadvertently give the whole alert less criticality than a multi-host,
potential brute-force attack would warrant.
Thanks,
Christina
On Wed, Apr 25, 2012 at 9:49 AM, dan (ddp) <[email protected]> wrote:
> No problem, that option is buried in a strange place.
>
> On Wed, Apr 25, 2012 at 9:37 AM, C. L. Martinez <[email protected]>
> wrote:
> > Many thanks dan.
> >
> > On Wed, Apr 25, 2012 at 3:11 PM, dan (ddp) <[email protected]> wrote:
> >>
> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping
> >>
> >> On Wed, Apr 25, 2012 at 9:08 AM, C. L. Martinez <[email protected]>
> wrote:
> >>> Hi all,
> >>>
> >>> Sometimes ossec sends several alerts in only one email. Is it
> >>> possible to configure ossec to send one email per alert?? (I am using
> >>> a local mta in ossec server to send these email alerts).
> >>>
> >>> Thanks.
>
