I am trying to setup a custom alarm for DOS attacks, as we do not have any devices that support flows so the DOS content pack doesnt work for it.
I have configured an alarm to for a signature ID a count of 1000 and an elapsed timeframe of 60(which Im assuming is 60 seconds?).
I cannot get this rule to fire, any help would be appreciated.
1- sssyyyy is right. your in the FIeld MATCH GUI in the Alarm section
you need to add a correlation for that, there you could set the time fram ETC just by clicking on the "AND" gate.
regarding the signature ID you added, what is the rule name of that signature?
maybe there is the problom.