Thanks Dan, that makes more sense. Would that be the same for <if_group> vs <if_group_matched> ? Also, how does if_group_matched figure into if_matched_sid? It seems as though as events come in the group list counting isnt every alert being processed; meaning the alert would either be added to the sid match composite rule counts OR the group match composite rule counts.
On Jul 8, 4:58 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > On Fri, Jul 8, 2011 at 11:29 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > if_sid: For this log message, is sid XXX a valid match> > > if_matched_sid: Has sid YYY matched a recent log message (but not > > necessarily this one)? > > This is simplistic and partly wrong. > > if_sid is basically correct. If sid XXX matches the current log > message, then use rule YYY instead: > > <rule id="YYY" level="10"> > <if_sid>XXX</if_sid> > <description>This rule should be triggered instead of XXX</description> > </rule> > > if_matched_sid is generally used in frequency based rules, and > determines whether sid XXX has been triggered Z times in A seconds. :P > > <rule id="YYY" frequency="3" timeframe="30" level="12"> > <if_matched_sid>XXX</if_matched_sid> > <description>If XXX is triggered 5+ times in 30 seconds, YYY should > be triggered</description> > </rule> > > HTH