I’d like to set up an alert for deauthentication messages. They show up in syslog as something like deauthentucaton received from .
I’d like the alert to hit whenever the deauthentication message has the same Mac 5 times within a minute.
Is this possible without knowing the Mac first?
imo yes its possible,
But u need to make an advance SQL query with count addon
And add new Macro for 1m (asuming u got 1 min pollings or 1 min allerting)
past_1m DATE_SUB(NOW(),INTERVAL 1 MINUTE)
Look for
Syslog, Authentication failure on Device
syslog.timestamp >= macros.past_5m && syslog.msg ~ “@authentication failure@”
Edit this to
syslog.timestamp >= macros.past_1m && syslog.msg ~ “@>your lookup here>@”
Asuming u got static mac adress etc
Now u need to tweak the rules / advance SQL whit an COUNT() sql
Maybe to make an request for addon in the rule builder for the count 
the message I receive in syslog is:
“ath0 Received deauth from 2c:c5:d3:69:ba:4c. Reason: Class 2 frame received from nonauthenticated STA.”
The mac isn’t going to necessarily be the same every time. However if I include from nonauthenticated STA it wont matter. I can print them in sql using the query “select * from syslog where msg like “%Received deauth from% %Reason: Class 2 frame received from nonauthenticated STA%”;”
So following your examlple id use: syslog.timestamp >= macros.past_1m && syslog.msg ~ “%Received deauth from% %Reason: Class 2 frame received from nonauthenticated STA%” && devices.disabled = 0 && devices.ignore = 0
along with some form of count if I needed the count (which thinking about it i could likely do without and be okay. I shouldn’t receive any of these messages unless There is an actual problem.