Hello You will need to configure the frequency and timeframe in the rule 100003 (http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html). You can see some examples here: https://github.com/ossec/ossec-hids/blob/72641d6f22c63b97f290ae22d47a79032b56d0fd/etc/rules/sshd_rules.xml#L49
Best Regards, Alberto R. On Tuesday, April 24, 2018 at 11:49:58 AM UTC+2, Chinmay Pandya wrote: > > I created 2 custom rules. Rule id 100002 and 100003. > > Rule id 100002 is with alert level1 and 100003 with alert level 8. > > Rule 100003 is based on frequency of alert 10002 > > If I use ossec-logtest to confirm that rule id 1003 correctly. But when I > run restarted ossec, it always matches rule id 100002 and never 100003. > > I even coped the syslog message from alert and gave it to logtest on same > server and it is able to trigger rule id 100003. So i don't know why ossec > always matches 100002 only > > this are my rules > > <rule id="100002" level="1"> >> <decoded_as>iptables</decoded_as> >> <match> entered promiscuous mode</match> >> <description>Interface entered in promiscuous(sniffing) >> mode.</description> >> </rule> >> >> >> <rule id="100003" level="8"> >> <if_matched_sid>100002</if_matched_sid> >> <same_location /> >> <same_id /> >> <regex>device (\S+) entered promiscuous mode$</regex> >> <description>Interface entered in promiscuous(sniffing) mode 2x in 24 >> hrs.</description> >> </rule> >> > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.