[ossec-list] Re: Increase number of connections for apache2

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Augustinho,

Any rule with ID less then 100 is not defined in the rules configuration,
because they are internally generated (In this case, it is from the
stats module). It would be something similar to a snort preprocessor
alert (if you have ever used snort).

Basically, ossec creates a baseline of the events and if the number
of messages deviate from it, an alert is generated. If you go to the
"global" section of your config and set the "stats" option to 3 or 4,
you will not see this alert anymore.

<global>
..
<stats>3</stats>
..
</global>

Or if you prefer, you can do to internal_options.conf and
increase the analysisd.stats_percent_diff, so that it will alert
on 30 or 40% (instead of the default 20%). Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net


On 7/24/06, Augustinho Catto <Catto@xxxxxxxxxxx> wrote:
>
> Hello,
>
> Ive been received lot of following messages:
> ----------------------------begin ---------------------------------
> "Received From: (barcelona) 10.10.200.101->/var/log/apache2/access_log
> Rule: 11 fired (level 8) -> "Excessive number of connections during this hour."
> Portion of the log(s):
>
>  The average number of logs between 2:00 and 3:00 is 69. We reached 120.'
> No Log Available (HOURLY_STATS)"
> --------------------------------- end ---------------------------------
>
> I would like to modify rule number 11, but I couldnt found it. I used 'grep 11 *' inside of rules directory.
> I need to increase the number of connections.
>
> Any help are welcome.
>
> TIA
>
> Catto
>
>
>
>
> Augustinho Valmor Catto
> GSI - Infraestrutura de TI
> Fone 51 590 8386 - Ramal 1881.
>
>
> >
>