Hi Jake,
take a look at rule 511
<https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>.
It is the way to ignore a event coming from rule 510. You could do the same
with a composite rule, it would be something like:
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="300">
<if_matched_sid>510</if_matched_sid>
<match>your_file</match>
<description>Ignore rule 510 for 'your_file' during 300 seconds.
</description>
</rule>
frequency=”0” would mean the rule must be matched 2 times (frequency is
always +2 than the setting).
level 0 will not generate an alert (for testing you could increase it).
I hope it help.
Regards.
On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote:
>
> Hello,
>
> I have alerts coming in huge batches for rule 510. The batches of alerts
> are essentially all the same event and the file path of the area that's
> causing this is essentially identical in each batch except for the last
> file. I'm trying to setup a rule that would look at the ID I setup in my
> decoder, which is a file path that takes the path except for the last file
> in order to match the batches of events. I want to alert only on the first
> one and ignore the rest with that same ID for 5 minutes. First of all, does
> the rule below look ok for this? Does frequency="0" work as I know the
> frequency essentially adds 2 to it? Also, I'm having another issue with
> this in particular is that ossec-logtest does not test this rule correctly
> at all. Even when I paste the message, it doesn't even show up as something
> that would trigger rule 510, which is what the alerts are coming as. So
> that is also making it hard to troubleshoot this. Any ideas? Thanks!
>
> <rule id="70908" level="7" frequency="2" timeframe="45" ignore="300">
> <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as>
> <same_id /> <description>*TEST* - Only alert on the first docker root event
> for the same host and file path in a 60 second range.</description>
> <description>*TEST* - This is meant to reduce noise as docker root events
> typically happen in batches with not much difference in
> meaning.</description> </rule>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
