[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Overriding "Frequency" Rules

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Overriding "Frequency" Rules
From: Michael Starks <ossec@xxxxxxxxxxxxxxxxx>
Date: Tue, 20 Feb 2007 22:34:37 -0500

I am having a problem ignoring or otherwise tweaking rules which use
times.  For example, rule 18152 is to alert on Multiple Windows Logon
Failures.  I have tried tweaking the rule in two ways (the goal being to
increase the frequency, of course in local_rules.xml):

1. Writing a rule to set the level to 0 which references the 18152 rule,
and another rule with a higher frequency which references 18106.

2. Writing a rule based on 18152 with it's own frequency, but I'm not
entirely sure what the result of this would be.  It seems that it would
fire after 18152 fires, so really it ends up being something like "only
alert if you see n number of logins within n timeframe, after you have
seen n number of logins within n timeframe"  If that makes sense...

What's the correct way to ignore/override rules which have frequencies
in them?

Thanks.

Follow-Ups:
- [ossec-list] Re: Overriding "Frequency" Rules
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: weird stuff
Next by Date: [ossec-list] ossec-wui and selinux
Previous by thread: [ossec-list] Re: Problems faced with OSSEC.
Next by thread: [ossec-list] Re: Overriding "Frequency" Rules
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.