Hi Jesus, Thanks for the reply. Would this also alert on the first instance of this? I still do want to alert, but I want to avoid the spam that comes with it as it typically happens in large batches with little to no difference in meaning between the different events.
Thanks! On Thursday, April 6, 2017 at 1:24:05 AM UTC-7, Jesus Linares wrote: > > Hi Jake, > > take a look at rule 511 > <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>. > > It is the way to ignore a event coming from rule 510. You could do the same > with a composite rule, it would be something like: > > <rule id="70908" level="0" frequency="0" timeframe="45" ignore="300"> > <if_matched_sid>510</if_matched_sid> > <match>your_file</match> > <description>Ignore rule 510 for 'your_file' during 300 seconds. > </description> > </rule> > > frequency=”0” would mean the rule must be matched 2 times (frequency is > always +2 than the setting). > level 0 will not generate an alert (for testing you could increase it). > > I hope it help. > Regards. > > > On Wednesday, April 5, 2017 at 5:11:22 PM UTC+2, Jake B. wrote: >> >> Hello, >> >> I have alerts coming in huge batches for rule 510. The batches of alerts >> are essentially all the same event and the file path of the area that's >> causing this is essentially identical in each batch except for the last >> file. I'm trying to setup a rule that would look at the ID I setup in my >> decoder, which is a file path that takes the path except for the last file >> in order to match the batches of events. I want to alert only on the first >> one and ignore the rest with that same ID for 5 minutes. First of all, does >> the rule below look ok for this? Does frequency="0" work as I know the >> frequency essentially adds 2 to it? Also, I'm having another issue with >> this in particular is that ossec-logtest does not test this rule correctly >> at all. Even when I paste the message, it doesn't even show up as something >> that would trigger rule 510, which is what the alerts are coming as. So >> that is also making it hard to troubleshoot this. Any ideas? Thanks! >> >> <rule id="70908" level="7" frequency="2" timeframe="45" ignore="300"> >> <if_matched_sid>510</if_matched_sid> <decoded_as>my_decoder</decoded_as> >> <same_id /> <description>*TEST* - Only alert on the first docker root event >> for the same host and file path in a 60 second range.</description> >> <description>*TEST* - This is meant to reduce noise as docker root events >> typically happen in batches with not much difference in >> meaning.</description> </rule> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
