lower the sample limit for noisy bruteforce alert

mozilla · Jan 30, 2015 · aa53e90 · aa53e90
1 parent 40113b2
commit aa53e90
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/alerts/bruteforce_ssh_pyes.py b/alerts/bruteforce_ssh_pyes.py
@@ -7,6 +7,7 @@
 #
 # Contributors:
 # Anthony Verez averez@mozilla.com
+# Jeff Bryner jbryner@mozilla.com
 
 from lib.alerttask import AlertTask
 import pyes
@@ -31,8 +32,8 @@ def main(self):
         ]
         self.filtersManual(date_timedelta, must=must, must_not=must_not)
 
-        # Search aggregations on field 'sourceipaddress', keep 50 samples of events at most
-        self.searchEventsAggreg('sourceipaddress', samplesLimit=50)
+        # Search aggregations on field 'sourceipaddress', keep X samples of events at most
+        self.searchEventsAggreg('sourceipaddress', samplesLimit=10)
         # alert when >= X matching events in an aggregation
         self.walkAggregations(threshold=10)