[ossec-list] Re: Overriding "Frequency" Rules

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Michael,

Unfortunatelly, it is hard to solve this problem on the 1.0 version. If you
set a rule with a level 0 after the 18152, your other new rule with an increased
frequency is never going to be fired.

On the good side, version 1.1 has a fix for this (you can check it out on
the latest beta): http://www.ossec.net/dcid/?p=42

It allows you to overwrite a rule with whatever values you want in the
local_rules.xml. For example, to overwrite the 18152 with a frequency
of 20, just paste the following on your local rules:

 <rule id="18152" level="10" frequency="20" timeframe="240" overwrite="yes">
   <if_matched_sid>18106</if_matched_sid>
   <description>Multiple Windows Logon Failures.</description>
   <group>authentication_failures,</group>
 </rule>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 2/20/07, Michael Starks <ossec@xxxxxxxxxxxxxxxxx> wrote:
> I am having a problem ignoring or otherwise tweaking rules which use
> times.  For example, rule 18152 is to alert on Multiple Windows Logon
> Failures.  I have tried tweaking the rule in two ways (the goal being to
> increase the frequency, of course in local_rules.xml):
>
> 1. Writing a rule to set the level to 0 which references the 18152 rule,
> and another rule with a higher frequency which references 18106.
>
> 2. Writing a rule based on 18152 with it's own frequency, but I'm not
> entirely sure what the result of this would be.  It seems that it would
> fire after 18152 fires, so really it ends up being something like "only
> alert if you see n number of logins within n timeframe, after you have
> seen n number of logins within n timeframe"  If that makes sense...
>
> What's the correct way to ignore/override rules which have frequencies
> in them?
>
> Thanks.