Limitations to frequency and timeframe?
353 views
Skip to first unread message
jplee3
Jul 28, 2011, 4:44:41 PM7/28/11
to ossec-list
Hi all,
I was wondering if anyone has had a lot of experience using higher
frequencies and broader timeframes, and if you have run into any
"limitations"
I currently have a rule setup to fire if there have been 1000 requests
from the same source IP in a timeframe of 21600 seconds (6 hours).
This is based on Apache logs (specifically GET requests) and we get
quite a number of requests coming through from same IPs, so I know
this should fire.
Another thought is that we're constantly making changes to rules and
restarting the OSSEC server throughout the day (at least between
8am-5pm), so I'm guessing, in the case that the 'counter' is reset on
an OSSEC server restart, we'll never hit this threshold. However,
there should never be any changes during the night, so I'm a bit
puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess
I'll have to look into lowering the thresholds either way.
Just curious if anyone else has been successful with using larger
numbers for frequency and timeframe.
I was wondering if anyone has had a lot of experience using higher
frequencies and broader timeframes, and if you have run into any
"limitations"
I currently have a rule setup to fire if there have been 1000 requests
from the same source IP in a timeframe of 21600 seconds (6 hours).
This is based on Apache logs (specifically GET requests) and we get
quite a number of requests coming through from same IPs, so I know
this should fire.
Another thought is that we're constantly making changes to rules and
restarting the OSSEC server throughout the day (at least between
8am-5pm), so I'm guessing, in the case that the 'counter' is reset on
an OSSEC server restart, we'll never hit this threshold. However,
there should never be any changes during the night, so I'm a bit
puzzled as to why it wouldn't fire between 5pm-8am the next day. Guess
I'll have to look into lowering the thresholds either way.
Just curious if anyone else has been successful with using larger
numbers for frequency and timeframe.
jplee3
Jul 28, 2011, 4:55:46 PM7/28/11
to ossec-list
Actually, I came across this unanswered FAQ:
"Why does my frequency rule get triggered by 8 events when frequency
is set to 6"
And I'm wondering, if frequency rules are triggered by the 8th event
when the frequency is 6, would that mean the same ratio if my
frequency is set to 1000 or even 200? Using that logic, I should lower
the frequency to 750 if I really want to trigger on 1000 events, and
150 if I want to trigger 200 events.
Can anyone confirm or deny this?
"Why does my frequency rule get triggered by 8 events when frequency
is set to 6"
And I'm wondering, if frequency rules are triggered by the 8th event
when the frequency is 6, would that mean the same ratio if my
frequency is set to 1000 or even 200? Using that logic, I should lower
the frequency to 750 if I really want to trigger on 1000 events, and
150 if I want to trigger 200 events.
Can anyone confirm or deny this?
Daniel Cid
Jul 28, 2011, 5:26:13 PM7/28/11
to ossec...@googlegroups.com
Try to increase the maximum number of events stored in memory.
By default it is 1024 and for you case, you would need a much larger
number (maybe 90k or
something like that).
Just edit memory_size in the global config : <memory_size>90000</memory_size>
thanks,
jplee3
Jul 28, 2011, 7:55:34 PM7/28/11
to ossec-list
Thank you Daniel.
I looked that up and found it here:
http://www.ossec.net/doc/syntax/head_ossec_config.reports.html
The doc says 5096 is the max though - am I able to go up to 90,000 as
you suggested?
I looked that up and found it here:
http://www.ossec.net/doc/syntax/head_ossec_config.reports.html
The doc says 5096 is the max though - am I able to go up to 90,000 as
you suggested?
Reply all
Reply to author
Forward
0 new messages