question about rule frequency and timeframe
1,473 views
Skip to first unread message
Markus Dubois
Jan 26, 2024, 8:03:16 AM1/26/24
to Wazuh | Mailing List
Hi,
i have these "docker rules". They are firing to often.
The normal rule is "sent notication when container is above x%".
So i get a notification if a container is above 100%
As the docker host is a 32cpu machine. This is a non issue.
Because of that i was trying to modify the rules to fire "if the x% value is above 100%" vor constantly 5min
I've tried frequency="40" timeframe="300
But this is not working. See my rules below, can you help me here?
<group name="container,">
<!-- Rule for container resources information. -->
<rule id="101100" level="5">
<decoded_as>docker-container-resource</decoded_as>
<description>Docker: Container $(container_name) Resources</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container CPU and memory usage are above 80%. -->
<rule id="901101" level="12" frequency="40" timeframe="300">
<if_sid>101100</if_sid>
<if_matched_sid>101100</if_matched_sid>
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<field name="container_memory_perc" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) and memory usage ($(container_memory_perc)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container CPU usage is above 80%. -->
<rule id="101102" level="12" frequency="40" timeframe="300">
<if_sid>101100</if_sid>
<if_matched_sid>101100</if_matched_sid>
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container memory usage is above 80%. -->
<rule id="101103" level="12">
<if_sid>101100</if_sid>
<field name="container_memory_perc" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) memory usage ($(container_memory_perc)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule for container health information. -->
<rule id="101105" level="5">
<decoded_as>docker-container-health</decoded_as>
<description>Docker: Container $(container_name) is $(container_health_status)</description>
<group>container_health,</group>
</rule>
<!-- Rule to trigger when a container is unhealthy. -->
<rule id="101106" level="12">
<if_sid>101105</if_sid>
<field name="container_health_status">^unhealthy$</field>
<description>Docker: Container $(container_name) is $(container_health_status)</description>
<group>container_health,</group>
</rule>
</group>
<!-- Rule for container resources information. -->
<rule id="101100" level="5">
<decoded_as>docker-container-resource</decoded_as>
<description>Docker: Container $(container_name) Resources</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container CPU and memory usage are above 80%. -->
<rule id="901101" level="12" frequency="40" timeframe="300">
<if_sid>101100</if_sid>
<if_matched_sid>101100</if_matched_sid>
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<field name="container_memory_perc" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) and memory usage ($(container_memory_perc)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container CPU usage is above 80%. -->
<rule id="101102" level="12" frequency="40" timeframe="300">
<if_sid>101100</if_sid>
<if_matched_sid>101100</if_matched_sid>
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule to trigger when container memory usage is above 80%. -->
<rule id="101103" level="12">
<if_sid>101100</if_sid>
<field name="container_memory_perc" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) memory usage ($(container_memory_perc)) is over 80%</description>
<group>container_resource,</group>
</rule>
<!-- Rule for container health information. -->
<rule id="101105" level="5">
<decoded_as>docker-container-health</decoded_as>
<description>Docker: Container $(container_name) is $(container_health_status)</description>
<group>container_health,</group>
</rule>
<!-- Rule to trigger when a container is unhealthy. -->
<rule id="101106" level="12">
<if_sid>101105</if_sid>
<field name="container_health_status">^unhealthy$</field>
<description>Docker: Container $(container_name) is $(container_health_status)</description>
<group>container_health,</group>
</rule>
</group>
Best regards
Matias Pereyra
Jan 26, 2024, 7:03:37 PM1/26/24
to Wazuh | Mailing List
Hi!
Could you describe more in detail what you mean by "not working"? The rule now doesn't fire at all? The alert keeps generating all the time?
Remember that if a rule has a frequency and a timeframe configured, the configuration recommends to use if_matched_sid instead of if_sid
Could you describe more in detail what you mean by "not working"? The rule now doesn't fire at all? The alert keeps generating all the time?
Remember that if a rule has a frequency and a timeframe configured, the configuration recommends to use if_matched_sid instead of if_sid
Markus Dubois
Jan 29, 2024, 8:33:17 AM1/29/24
to Wazuh | Mailing List
it's possible that i haven't understood the documentation correctly, because of that i'm asking here.
i've now removed the if_sid from the rules. This doesn't change the situation.
The situation is: the rule is firing to often constantly. just after restarting the manager (if_sid change mentioned) the rule fired again.
Last firing was 13:50 then after booting 13:52 the next one.....
My goal is: fire only if the situation (here above x% CPU time) was constanly over the proposed value for 5min
as described above firing to often.
My difficulty to understand is. wazuh talks about rules regarding "frequency" so what is the frequency of checking..... 60 times in 60 seconds? Every ten seconds?
Do i need to set the frequency higher? what does these values mean regarding to timeframe?
Matias Pereyra
Jan 29, 2024, 10:23:26 AM1/29/24
to Wazuh | Mailing List
Hello again. I'll try to give you more details about these rules' options.
The timeframe is how much time since the current moment I consider for valid events. A value of 300 means that all the events older than 5 minutes won't be added to the internal counter.
The frequency is the number of times the other rule must fire within the configured timeframe before the current rule is alerted.
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80%</description>
<group>container_resource,</group>
<rule id="101102" level="12" frequency="40" timeframe="300">
The timeframe is how much time since the current moment I consider for valid events. A value of 300 means that all the events older than 5 minutes won't be added to the internal counter.
The frequency is the number of times the other rule must fire within the configured timeframe before the current rule is alerted.
So you can:
- Reach the configured frequency within the timeframe. Rule fired.
- Reach the configured frequency but "too slow", this is, with events too distant in time and not within the timeframe. Rule not fired.
Now, consider that the events always can match one rule at a time. But if you don't silence the <if_matched_sid> rule, you'll end up having 39 alerts of this one and 1 alert of the rule with the frequency and timeframe.
Your rules depend on 101100 but this is too general, so absolutely all resources' reports match this. You must create another intermediate rule but not alert it, see the no_log option
Your rules depend on 101100 but this is too general, so absolutely all resources' reports match this. You must create another intermediate rule but not alert it, see the no_log option
<group name="container,">
<!-- Rule for container resources information. -->
<rule id="101100" level="5">
<decoded_as>docker-container-resource</decoded_as>
<description>Docker: Container $(container_name) Resources</description>
<group>container_resource,</group>
</rule>
<!-- Rule for container resources information. -->
<rule id="101100" level="5">
<decoded_as>docker-container-resource</decoded_as>
<description>Docker: Container $(container_name) Resources</description>
<group>container_resource,</group>
</rule>
<!-- Intermediate rule to count events when container CPU usage is above 80%. No log.-->
<rule id="101101" level="5">
<if_sid>101100</if_sid>
<rule id="101101" level="5">
<if_sid>101100</if_sid>
<field name="container_cpu_usage" type="pcre2">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80%</description>
<group>container_resource,</group>
<options>no_log</options>
</rule>
<!-- Rule to trigger when container CPU usage is above 80% within the last 5 minutes -->
</rule>
<!-- Rule to trigger when container CPU usage is above 80% within the last 5 minutes -->
<rule id="101102" level="12" frequency="40" timeframe="300">
<if_matched_sid>101101</if_matched_sid>
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80% for the last 5 min</description>
<group>container_resource,</group>
</rule>
</group>
Please, try this approach and come back with the results.
Regards.
<description>Docker: Container $(container_name) CPU usage ($(container_cpu_usage)) is over 80% for the last 5 min</description>
<group>container_resource,</group>
</rule>
</group>
Please, try this approach and come back with the results.
Regards.
Markus Dubois
Jan 30, 2024, 7:08:56 AM1/30/24
to Wazuh | Mailing List
Hi,
<rule id="101102" level="12" frequency="40" timeframe="300">
thank you for your answer. Your rules have silenced the notifications for now. I need to monitor this a little bit longer....
I understand (i think) your approach. The intermediate rule is for the counting. But why are you certain that this
<!-- Rule to trigger when container CPU usage is above 80% within the last 5 minutes -->
<rule id="101102" level="12" frequency="40" timeframe="300">
snippet is responsible to fire only if above for the last 5 minutes? Is it the timefrane, as 300 sec are 5mins? So the frequency value is not that important? Is it a combination? is frequency even needed?
Best regards
Matias Pereyra
Jan 30, 2024, 2:59:14 PM1/30/24
to Wazuh | Mailing List
Hi again!
Yes, the timeframe is in seconds.
The frequency is important because it's the amount of events that you need in that timeframe to fire the rule.
I have here a minimal example.
You can add these test rules in /var/ossec/etc/rules/local_rules.xml
<rule id="100001" level="1">
<match>Test</match>
<description>Rule that counts</description>
<group>test_group,</group>
<options>no_log</options>
</rule>
<rule id="100002" level="12" frequency="3" timeframe="5">
<if_matched_sid>100001</if_matched_sid>
<description>Real rule</description>
<group>test_group,</group>
</rule>
Yes, the timeframe is in seconds.
The frequency is important because it's the amount of events that you need in that timeframe to fire the rule.
I have here a minimal example.
You can add these test rules in /var/ossec/etc/rules/local_rules.xml
<rule id="100001" level="1">
<match>Test</match>
<description>Rule that counts</description>
<group>test_group,</group>
<options>no_log</options>
</rule>
<rule id="100002" level="12" frequency="3" timeframe="5">
<if_matched_sid>100001</if_matched_sid>
<description>Real rule</description>
<group>test_group,</group>
</rule>
Then run /var/ossec/bin/wazuh-logtest and write in the console the word Test many times:
- If you write the word 3 times really fast, the rule 100002 will be triggered
- If you do it 2 times and wait more than 5 seconds and then 2 times more, the rule 100002 won't be triggered
You can make sure the mechanism works with these and other tests. Also, try modifying both frequency and timeframe.
Hope it's clearer now.
Regards.
You can make sure the mechanism works with these and other tests. Also, try modifying both frequency and timeframe.
Hope it's clearer now.
Regards.
Markus Dubois
Feb 5, 2024, 7:45:07 AM2/5/24
to Wazuh | Mailing List
thanks for the clarification.
But what is still not clear to me, is you mentioned: frequency is important to fire the rule
I understand that, but how do i calculate this? For a human it is clear 300 secs are 5 mins, so in this timeframe something needs to happen.
But i have nowhere read how to calculate the frequency.... for a given rule event, is 10 okay? or 50? does fire means, per second, per minute?
How often checks wazuh the frequency?
Matias Pereyra
Feb 5, 2024, 11:01:03 AM2/5/24
to Wazuh | Mailing List
Hi again!
The frequency field isn't a value you have to calculate because it isn't related to the internal functioning of the engine.
You must choose it according to your needs of firing the rule, because it's simply a counter: how many times do I want the event to be present in the configured timeframe to alert the situation?
Every time there is an event that matches, the internal counter is incremented and compared against the frequency to confirm if it's equal or not. Every time there is an event that gets too old (out of the timeframe), the counter is decremented.
Regards.
The frequency field isn't a value you have to calculate because it isn't related to the internal functioning of the engine.
You must choose it according to your needs of firing the rule, because it's simply a counter: how many times do I want the event to be present in the configured timeframe to alert the situation?
Every time there is an event that matches, the internal counter is incremented and compared against the frequency to confirm if it's equal or not. Every time there is an event that gets too old (out of the timeframe), the counter is decremented.
Regards.
Reply all
Reply to author
Forward
0 new messages