Overview
This filter will trigger once, then wait for a set time interval before triggering the filter again.
The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.
Details
The time interval filter is useful when you are using a notify action such as "send e-mail message" to notify you when a particular message text is found (for example "link down"). If the link goes up and down many times a minute, you would normally receive an e-mail alert for each "link down" event. The time interval filter can fire once, then wait for X minutes before alerting you again.
Example of a link down notification using the time interval filter:
Rule: Link down notify
Filters
Filter: Field=Hostname, Type=Simple.
Include: "central-router.company.com" [S]
Filter: Field=Msg Text, Type=Simple.
Include: "link down" [S]
Filter: Field=Flags/Counters, Type=Time interval
Fire this event once, then wait for 15 minutes before firing again.
Actions
Action: Send E-mail message
E-mail body: The link has gone down, please call the helpdesk.
Alert - %MsgText
When a message arrives from the host "central-router.company.com" that contains the words "link down" in the text, the first filter (Message text) will be true. The Time interval filter is then processed. The first time the Time interval filter is processed, the result will be true, and the actions that follow will be performed. A countdown timer using the specified value is started. In the above example it is 15 minutes. If another message arrives from the same host that contains the words "link down", the first filter (Message text) will again be true. If the countdown timer has not reached zero, the Time interval filter will return false and the actions following will not be performed.
This filter may also be used to reduce the amount of notification e-mail sent to you when an attack occurs. For example, you might want to know when the text "port scan detected" is received, but you only want to be notified once every hour, not every time the message is received. Use the time interval filter to trigger once, then wait for 60 minutes before triggering again.