[ossec-list] Problems with timeframe and frequency

[Tester1234]

Hi there!
After playing around now for several days with ossec I am now stuck with a 
strange behaviour... maybe someone here on the list can point me to the 
right direction?

Situation:
OSSEC is up and running, several custom rules and decoders are running as 
desired. But when trying to count events to escalate the event (of course 
to trigger active response later) ossec seems to refuse its service :)

Example rule:

<group name="iplog">
  <rule id="180000" level="0">
    <decoded_as>iplog</decoded_as>
    <description>Grouping for iplog rules</description>
  </rule>
 <rule id="180001" level="6">
   <if_sid>180000</if_sid>
   <match>scan detected</match>
   <description>iplog scan detect</description>
 </rule>
 <rule id="180002"  level="6">
   <if_sid>180000</if_sid>
   <match>ssh connection attempt from</match>
   <description>SSH Connect falscher Port</description>
 </rule>
 <rule id="180003"  level="10" frequency="2" timeframe="30">
   <if_matched_sid>180002</if_matched_sid>
   <same_source_ip />
   <description>SSH Bruteforce am Fakeport</description>
 </rule>
</group>


This seems to work as the alertlog shows up with rule events of rule 
#180002 when trying to connect ot the wrong ssh port:

** Alert 1427298108.6245999: - iplog
2015 Mar 25 15:41:48 main->/var/log/iplog
Rule: 180002 (level 6) -> 'SSH Connect falscher Port'
Mar 25 16:41:47 TCP: ssh connection attempt from 
089144208174.atnat0017.my.hoster.net (1.2.3.4):64214

** Alert 1427298110.6246243: - iplog
2015 Mar 25 15:41:50 main->/var/log/iplog
Rule: 180002 (level 6) -> 'SSH Connect falscher Port'
Mar 25 16:41:49 TCP: ssh connection attempt from 
089144208174.atnat0017.my.hoster.net (1.2.3.4):64215

BUT as I understand and wrote the rules above there should rule #180003 be 
fired after 4 occurences of rule #180002.. but that doesnt happen - i can 
see 10 and more #180002 events but never a #18003.

What am I doing wrong?
Any hint is appreciated...

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.