Hi,
as far I know, that is not possible.
You could use composite rules. Ignore the first 49 times (it will generate
an alert with level 1, but I guess you are getting alerts only from level
3). Then, it will generate an alert with level 3 when the manager receives
the event number 50.
<decoder name="test_throttling">
<prematch>^test</prematch>
</decoder>
<group name="test_throttling,">
<!--
test: 50 times in 1 sec
-->
<rule id="100001" level="1">
<decoded_as>test_throttling</decoded_as>
<description>Test</description>
</rule>
<rule id="100002" level="3" frequency="48" timeframe="2">
<if_matched_sid>100001</if_matched_sid>
<description>Test: 50 times</description>
</rule>
</group>
I hope it helps.
Regards.
On Tuesday, July 11, 2017 at 10:03:50 AM UTC+2, chintan shah wrote:
>
> Hi Dan ,
>
> Thanks for the response . I am aware of the frequency and time frame
> options in the rule but it does not serve the purpose . Let me frame the
> requirement in a slightly different way .
>
> Basically , we have 50 duplicate events generated within the period of 1
> sec which we want to throttle down to 1 event per sec . This is to avoid
> having user investigate too many events . To achieve this , OSSEC will have
> to hold the said event *[ based on rule ID ] * for 1 sec and see how many
> such events arrive within the period of 1 sec . If the number goes beyond
> 50 , then post just one aggregated alert instead of 50 different ones. If
> that does not happen, then just release whatever is holded .
>
> Hope that helps. If there is any workaround in OSSEC to achieve this , it
> would really help to reduce the number of events .
>
>
> On Saturday, 8 July 2017 23:21:48 UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Fri, Jul 7, 2017 at 8:07 AM, chintan shah <[email protected]>
>> wrote:
>> > Hi Guys ,
>> >
>> > Just wanted to check if anybody has an idea on how to throttle the
>> events in
>> > OSSEC . I have a situation where there are 20 duplicate alerts within a
>> > second and I would want to raise only 1 alert for that . Is there any
>> event
>> > throttling mechanism in OSSEC where only 1 event can be raised for the
>> N
>> > number of events within a timeframe ?
>> >
>>
>> Look at the frequency and timeframe rule options.
>>
>> > Regads
>> > Chintan
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
