Meaning of "after" keyword

[st...@sroskam.nl]

Hello,

I'm testing with rules with the after keyword and I'm a bit confused how they work, if I look at the documentation:

after: track {by_src|by_dst|by_username|by_string}, count {number of event}, seconds {number of seconds};

“after” is used to trigger an alert “after” a number of events have happened within a specific amount of time. “after” tracks by the source or destination IP address of the event. The example would track events by the source IP address. If the event is triggered more than 10 times within 300 seconds (5 minutes), an alert is triggered.

after: track by_src, count 10, seconds 300;  

If I look at the documentation I expected that the rule will trigger if there are 10 events occurring within a total time frame of 300s, but if I look at my actual results it looks like all events are counted if there is no gap of >300s between those alerts.

Is it correct that only the gap between the events is relevant and not the total duration?

Best regards,

Stef

[Champ Clark III]

I think you might be correct but would really need to go back and look at the code.   Give me a bit and I'll look ASAP.