Hello, I have alerts coming in huge batches for rule 510. The batches of alerts are essentially all the same event and the file path of the area that's causing this is essentially identical in each batch except for the last file. I'm trying to setup a rule that would look at the ID I setup in my decoder, which is a file path that takes the path except for the last file in order to match the batches of events. I want to alert only on the first one and ignore the rest with that same ID for 5 minutes. First of all, does the rule below look ok for this? Does frequency="0" work as I know the frequency essentially adds 2 to it? Also, I'm having another issue with this in particular is that ossec-logtest does not test this rule correctly at all. Even when I paste the message, it doesn't even show up as something that would trigger rule 510, which is what the alerts are coming as. So that is also making it hard to troubleshoot this. Any ideas? Thanks!
<rule id="70908" level="7" frequency="2" timeframe="45" ignore="300"> <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as> <same_id /> <description>*TEST* - Only alert on the first docker root event for the same host and file path in a 60 second range.</description> <description>*TEST* - This is meant to reduce noise as docker root events typically happen in batches with not much difference in meaning.</description> </rule> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
