Hi Jake, take a look at rule 511 <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>. It is the way to ignore a event coming from rule 510. You could do the same with a composite rule, it would be something like:
<rule id="70908" level="0" frequency="0" timeframe="45" ignore="300"> <if_matched_sid>510</if_matched_sid> <match>your_file</match> <description>Ignore rule 510 for 'your_file' during 300 seconds. </description> </rule> frequency=”0” would mean the rule must be matched 2 times (frequency is always +2 than the setting). level 0 will not generate an alert (for testing you could increase it). I hope it help. Regards. On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote: > > Hello, > > I have alerts coming in huge batches for rule 510. The batches of alerts > are essentially all the same event and the file path of the area that's > causing this is essentially identical in each batch except for the last > file. I'm trying to setup a rule that would look at the ID I setup in my > decoder, which is a file path that takes the path except for the last file > in order to match the batches of events. I want to alert only on the first > one and ignore the rest with that same ID for 5 minutes. First of all, does > the rule below look ok for this? Does frequency="0" work as I know the > frequency essentially adds 2 to it? Also, I'm having another issue with > this in particular is that ossec-logtest does not test this rule correctly > at all. Even when I paste the message, it doesn't even show up as something > that would trigger rule 510, which is what the alerts are coming as. So > that is also making it hard to troubleshoot this. Any ideas? Thanks! > > <rule id="70908" level="7" frequency="2" timeframe="45" ignore="300"> > <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as> > <same_id /> <description>*TEST* - Only alert on the first docker root event > for the same host and file path in a 60 second range.</description> > <description>*TEST* - This is meant to reduce noise as docker root events > typically happen in batches with not much difference in > meaning.</description> </rule> > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.