Do you mean multiple log messages are included in one email or multiple OSSEC alerts? Can you provide an example?
On Wed, Apr 25, 2012 at 10:28 AM, Christina Plummer <[email protected]> wrote: > I still seem to get combined emails sometimes, even though I have set > maild.groupping=0. I also increased my <email_maxperhour> to 6000 to make > sure that wasn't getting in the way. > > It seems to mostly occur with rule 5720 (multiple SSHD auth failures) or my > local rule 101002 which tries to only send an alert when 1002 is matched 3 > or more times in 6 minutes: > > <!-- Ignore mistyped passwords until 3rd occurrence --> > <rule id="101002" level="4" frequency="3" timeframe="360"> > <if_matched_sid>1002</if_matched_sid> > <match>Failed to authenticate user</match> > <options>alert_by_email</options> > <description>User authentication failure.</description> > </rule> > The emails I get make it appear that OSSEC is considering failures on ALL > hosts within that timeframe, as opposed to just on a single host. > > I don't necessarily care if UserA mistyped their password on HostA twice > within a couple minutes of UserB mistyping their password on HostB. Is it > possible to adjust this behavior - to force a rule to apply on a per-host > basis? > > If not, can I at least force it to appear as a "multi-host" match of some > sort? Currently, OSSEC shows the rule as being "Received From: " the last > host that had a log entry which triggered the rule. I'd like to be able to > sort these differently - if the "last" host was a sandbox machine, I might > inadvertently give the whole alert less criticality than a multi-host, > potential brute-force attack would warrant. > No, there isn't really a way to do any of this. I think you could modify it to not include the sensor name in the subject, but I don't know how much that helps. I'd start by separating the sandbox machines from production machines. It wouldn't hurt to keep those on different managers. > Thanks, > Christina > > On Wed, Apr 25, 2012 at 9:49 AM, dan (ddp) <[email protected]> wrote: >> >> No problem, that option is buried in a strange place. >> >> On Wed, Apr 25, 2012 at 9:37 AM, C. L. Martinez <[email protected]> >> wrote: >> > Many thanks dan. >> > >> > On Wed, Apr 25, 2012 at 3:11 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> http://www.ossec.net/doc/syntax/head_internal_options.analysisd.html#intopt-maild.groupping >> >> >> >> On Wed, Apr 25, 2012 at 9:08 AM, C. L. Martinez <[email protected]> >> >> wrote: >> >>> Hi all, >> >>> >> >>> Sometimes ossec sends several alerts in only one email. Is it >> >>> possible to configure ossec to send one email per alert?? (I am using >> >>> a local mta in ossec server to send these email alerts). >> >>> >> >>> Thanks. > >
