On 22.08.2012 17:05, Kevin Huang wrote:
Hi,
I am new to ossec, I would like to write a rule that will check for
an
occurrences when a rule is fired and if it is fired at a certain
rate,
do something.
A scenario, I would like to write a rule that monitors all alerts and
if
I found more than 5 identical alerts from the same machine, then
raise
the alert level and silent the corresponding rule for 1 hour.
Unless I am misunderstanding, then yes you can do this. Here's an
example rule:
<rule id="4386" level="10" frequency="8" timeframe="240">
<if_matched_sid>4334</if_matched_sid>
<description>Nultiple AAA (VPN) authentication
failures.</description>
<group>authentication_failures,</group>
</rule>
This looks for 10 occurrences (frequency+2--another story) of the rule
4334 within a time frame of 240 seconds. If you wanted to ignore it for
30 seconds after firing, you would add the ignore="30" attribute to the
rule element.
