Hi
Is there a way to write a rule where OSSEC would wait a bit and then
report updated packages? I have a problem whenever a machine is being
updated, OSSEC sends massive number of emails with information about
updated packages (I use CentOS and yum).
I tried something like this:
<rule id="330991" level="5">
<if_sid>2933</if_sid>
<options>no_log</options>
<description>Yum package updated</description>
</rule>
<rule id="330999" level="7" frequency="1" timeframe="300">
<if_matched_sid>330991</if_matched_sid>
<description>Multiple yum packages installed.</description>
</rule>
But that's not it... It won't report one or two packages updated
(because of frequency) and it won't group more than 3 log enteries in
one alert.
So I would basically like for OSSEC to report even if only one package
is updated/erased/installed, but also if there is a mass update going on
then to send one email of all packages updated in some timeframe, for
example 5 minutes.
I didn't try this:
<rule id="330999" level="7" timeframe="600">
because documentation says timeframe goes with frequency. Maybe it can
work standalone?
--
Jakov Sosic
www.srce.unizg.hr
