HI EXP,
Unfortunately, there no exists any option to limit the active-response
executions or buffering them for now. However, to control the
active-response executions you could be more precise with rules associated
with that AR.
You could create custom rules using the frequency and timeframe options
from the ones used to fire the active response. That way you could relax
the number of hits when a high load of alerts appears.
For example, here you can see one sample alert coming from the one to alert
about changes of files:
<rule id="100001" level="5" frequency="8" timeframe="60">
<if_matched_sid>550</if_matched_sid>
<description>Sample alert for Active Response</description>
<group>syscheck,active-response,</group>
</rule>
Note that 550 is the ID of the rule related to integrity checksum changes
detected in FIM scans.
Apart from this suggestion, if you could detail us your use case, we can
look for any other way to limit your ARs that could fit better with your
needs.
I hope it helps,
Best regards,
Chema.
On Wednesday, May 29, 2019 at 11:09:43 AM UTC+2, EXP wrote:
>
> Hi !
>
> I have a scenes that it maybe trigger Active-Response about 100 hits
> at the same time, eg: syscheck files change.
>
> I want to limit it under 10 , other 90 waiting in the queue.
>
> How can I do this ?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/599aeeb3-93c2-419a-8d6b-45e1c3e7e225%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
