Hello Valton!
To accomplish that we need to write a custom rule with your specific requirements and then use this new rule to trigger the active response.
We have to use
if_matched_sid to match rule
31101, and
same_srcip and adjust the
frequency and timeframe as needed.
For example:
<rule id="100005" level="5" frequency="5" timeframe="30">
<if_matched_sid>31101</if_matched_sid>
<same_srcip />
<description>Multiple web server 400 error code.</description>
</rule>The rule
100005 will trigger an alert when rule 31101 is matched 5 times in a 30-second period coming from the same source IP.
You need to add that rule to the
/var/ossec/etc/rules/local_rules.xml as it is explained in the
Custom rules and decoders guide.
Then you need to change your active response block to trigger when this new rule is fired:
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100005</rules_id>
<timeout>5</timeout>
</active-response>Remember to restart the manager after making these changes.
Let me know if you need any more help with this.
Regards!