[ossec-list] Re: OSSEC Rule to alert on the first event, but ignore the rest for a 5 minute period.

Thu, 06 Apr 2017 01:25:03 -0700 

Hi Jake,

take a look at rule 511 
<https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>.
 
It is the way to ignore a event coming from rule 510. You could do the same 
with a composite rule, it would be something like:

<rule id="70908" level="0" frequency="0" timeframe="45" ignore="300">
    <if_matched_sid>510</if_matched_sid>
    <match>your_file</match>
    <description>Ignore rule 510 for 'your_file' during 300 seconds.
</description>
</rule>

frequency=”0” would mean the rule must be matched 2 times (frequency is 
always +2 than the setting).
level 0 will not generate an alert (for testing you could increase it).

I hope it help.
Regards.


On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote:
>
> Hello,
>
> I have alerts coming in huge batches for rule 510. The batches of alerts 
> are essentially all the same event and the file path of the area that's 
> causing this is essentially identical in each batch except for the last 
> file. I'm trying to setup a rule that would look at the ID I setup in my 
> decoder, which is a file path that takes the path except for the last file 
> in order to match the batches of events. I want to alert only on the first 
> one and ignore the rest with that same ID for 5 minutes. First of all, does 
> the rule below look ok for this? Does frequency="0" work as I know the 
> frequency essentially adds 2 to it? Also, I'm having another issue with 
> this in particular is that ossec-logtest does not test this rule correctly 
> at all. Even when I paste the message, it doesn't even show up as something 
> that would trigger rule 510, which is what the alerts are coming as. So 
> that is also making it hard to troubleshoot this. Any ideas? Thanks!
>
> <rule id="70908" level="7" frequency="2" timeframe="45" ignore="300"> 
> <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as> 
> <same_id /> <description>*TEST* - Only alert on the first docker root event 
> for the same host and file path in a 60 second range.</description> 
> <description>*TEST* - This is meant to reduce noise as docker root events 
> typically happen in batches with not much difference in 
> meaning.</description> </rule>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to