Dear users,
I recently created a rule to detect "Adult sites" traffic and receive related alert notification.
It works as expected. I also created an aggregation rule to reduce logs flooding as follows:
<rule id="100301" level="3">
<decoded_as>json</decoded_as>
<field name="Alert">Adult Content</field>
<field name="InfoMsg">\.+</field>
<field name="SenderType">Firewall</field>
<description>Adult content site access</description>
</rule>
<rule id="100302" level="12" frequency="3" timeframe="240">
<if_matched_sid>100301</if_matched_sid>
<same_source_ip />
<description>Multiple Adult content site accesses</description>
</rule>
I tried to trigger the rule generating "Adult" traffic, but only the 100301 rule is triggered.
During the test, I visited the same site from the same source IP. I noticed that not every alerts I generated are listed in the Wazuh Dashboard (Security events). It seems that some alerts are skipped in the dashboard.
In any case, I was able to generated, in the specified timeframe, more than 3 alert occurrences. But aggregation rule is not triggered.
I see that other users had the same issue, but I didn't understand the way to fix the issue.
I increased the RAM from 8 to 16GB and I added 4 additional cores (it is a VM with a 8-cores vCPU).
Could you please help me?
Thank you in advance,
Mauro