Throttling of events in OSSEC

40 views
Skip to first unread message

chintan shah

unread,
Jul 7, 2017, 12:06:05 PM7/7/17
to ossec-list
Hi Guys , 

Just wanted to check if anybody has an idea on how to throttle the events in OSSEC . I have a situation where there are 20 duplicate alerts within a second and I would want to raise only 1 alert for that . Is there any event throttling mechanism in OSSEC where only 1 event can be raised for the N number of events within a timeframe ? 

Regads
Chintan

dan (ddp)

unread,
Jul 8, 2017, 1:51:48 PM7/8/17
to ossec...@googlegroups.com
Look at the frequency and timeframe rule options.

> Regads
> Chintan
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

chintan shah

unread,
Jul 11, 2017, 4:03:50 AM7/11/17
to ossec-list
Hi Dan , 

Thanks for the response . I am aware of the frequency and time frame  options in the rule but it does not serve the purpose  . Let me frame the requirement in a slightly different way . 

Basically , we have 50 duplicate events generated within the period of 1 sec which we want to throttle down to 1 event per sec . This is to avoid having user investigate too many events . To achieve this , OSSEC will have to hold the said event [ based on rule ID ]  for 1 sec and see how many such events arrive within the period of 1 sec . If the number goes beyond 50 , then post just one aggregated alert instead of 50 different ones. If that does not happen, then just release whatever is holded . 

Hope that helps. If there is any workaround in OSSEC to achieve this , it would really help to reduce the number of events . 

Jesus Linares

unread,
Jul 11, 2017, 11:14:40 AM7/11/17
to ossec-list
Hi,

as far I know, that is not possible. 

You could use composite rules. Ignore the first 49 times (it will generate an alert with level 1, but I guess you are getting alerts only from level 3). Then, it will generate an alert with level 3 when the manager receives the event number 50.

<decoder name="test_throttling">
    <prematch>^test</prematch>
</decoder>

<group name="test_throttling,">


  <!--
  test: 50 times in 1 sec
  -->
  <rule id="100001" level="1">
    <decoded_as>test_throttling</decoded_as>
    <description>Test</description>
  </rule>


  <rule id="100002" level="3" frequency="48" timeframe="2">
    <if_matched_sid>100001</if_matched_sid>
    <description>Test: 50 times</description>
  </rule>


</group>

I hope it helps.
Regards.
Reply all
Reply to author
Forward
0 new messages