Snort mailing list archives
Re: How to Use Throttle when using Swatch for duplicate email alerts
From: Sam Evans <sam () neuroflux com>
Date: Wed, 9 Apr 2003 15:51:14 -0400 (EDT)
Well, in theory there is a command in swatch called 'throttle'. Here's what I use: watchfor /Something/ echo mail=your_email () address com,subject=ALERT!! throttle = 00:01:00 Now, according to the swatch docmentation it is supposed to fire the event every 1 minutes. I have not had any success in getting it to honor the throttle statement. But, maybe your luck will be better than mine. On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:
Hi, I am using swatch to generate email alerts from the alert file comparing the string /priority: 1/. In some instances the same alert is generated numerous times like 30 to 40 emails. I was wondering how can I specify using (throttle) for 10 to 15 min to ignore if it the same alert. Any examples would be really helpful. Thanks SG -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tuesday, April 08, 2003 4:31 PM To: ryan stangl Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] (no subject) On Tue, 8 Apr 2003, ryan stangl wrote:I was hoping that someone could help me, I am running snort 1.9 on Win2K. I got it to run and on our little moch network I can see other computers trying to get in, for example I can see a ping, or a sweep.SoI assumed that it was working. Then I wanted to see if I could getoneof my rules to work, so I added a rules text where all the other rules where, and gave it a .rules extension, I made just a simple one alerttcp<ip/24>500:2000 -> <ip/24> any. Then in the snort config file Iplaced a# in front of all of the rules listed and added a path to the rulefile Imade. My thinking was that I would recieve only instances that I specified where anything coming from not my computer between port 500and2000 trying to go to my computer by any port, but that wasn't thecase, Iwas getting everything as I was before, comming from any port. ItseemedA.) that my rule file wasn't working, and B.) that all the rule files where activated again, WHY IS THIS. If anyone can help me out here it would be greatly appreciated. ThanksEither you didn't restart snort after you made the change, or you are using a different config file than the one you edited. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to Use Throttle when using Swatch for duplicate email alerts Sudhakar Gummadi (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Sam Evans (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Erek Adams (Apr 09)
- <Possible follow-ups>
- RE: How to Use Throttle when using Swatch for duplicate email alerts Hutchinson, Andrew (Apr 10)