You should take a look at this patch: https://groups.google.com/forum/?fromgroups=#!search/accumulator/ossec-dev/NfQaFREyCHI/ycoRVq6YD_gJ
On Thursday, December 13, 2012 8:21:51 AM UTC-8, Mike Hubbard wrote: > > Hello - > I am trying to construct a set of rules that cause a change in behavior if > a certain thing happens. > My first rule catches a particular line from a log file and has an ID of > 100500. > Then I have a set of rules that look something like this: > <rule id="100524" level="3" frequency="1" timeframe="300"> > <if_matched_sid>100500</if_matched_sid> > <if_sid>550</if_sid> > <match>/a/file/im/interested/in</match> > <description>Acceptable update of > /a/file/im/interested/in</description> > </rule> > <rule id="100525" level="3" frequency="1" timeframe="300"> > <if_matched_sid>100500</if_matched_sid> > <if_sid>550</if_sid> > <match>/a/differentfile/im/interested/in</match> > <description>Acceptable update of > /a/differentfile/im/interested/in</description> > </rule> > > This works just great - the first time through. If, within the 5 minute > period, one of the files is modified, then either rule 100524 or 100525 > triggers. > But that is the end of my show. I've been interpreting frequency and > timeframe as count of alerts within the time period - but it appears to me > that my count of alerts is being reset after the first composite rule > fires. Is it not "legal" to have multiple rules watching the frequency of > some other rule? Is there some other simpler problem here with my rules? > > Thank you > >