Swatch & Snort & multi-line alerts

[Carl Johnson <carl.johnson () overture com>]

Hi,

Got a bit of a problem with Swatch and Snort.  I want to have Swatch 
email me certain Snort alerts from the 'alert' file.  These alerts in 
the file are more than one line.  So, I figured I'd use a \n\n 
input-record-separator with Swatch.

It doesn't work.

It sends me the line that matches the string, but only that one line, 
not the full blurb in the file.

Looking in the archives of this list I came across this text in a 
message from 3/14/01:

"i wanted to see the full multiline alerts so i
had to modify File::Tail in order to do so.  i am working with
the developer to incorporate changes into the next release."

This is the same problem I'm having.  The File::Tail perl module that 
Swatch uses apparently doesn't work with a \n\n seperator.  It doesn't 
seem to have been incorporated into the new release I guess.

Any ideas before I start combing through Perl?

Thanks!
Carl



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users