Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hey who use SWATCH!?? when there is an scan, I get too many mails on root () domain com

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Thu, 15 Jan 2004 08:44:25 -0500
I wrote this script as an alternative to swatch. It fires off anytime you
set it to using cron, but will only report through email anything new each
hour so you do not get blasted with redundant information.

You can find the information here:
http://www.sun.com/bigadmin/scripts/submittedScripts/auth-crit.sh.txt

I use it for logon violations to the system and any other alerts that you
would want an email alert for but you can key into any system message from
any log file you like.

Best regards,

Michael D. Peters
michael.peters () lazarusalliance com 




-----Original Message-----
From: soldier Mx [mailto:soldi3rmx () yahoo com mx]
Sent: Wednesday, January 14, 2004 7:48 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Hey who use SWATCH!?? when there is an scan, i
get too many mails on root () domain com


yes...

when i scan my system or somebody does...
i  get like 15 mails of the scan..
and i just want ONE mail..

here is my configuration .swatchrc file..

watchfor /spp_portscan/
bell
echo normal
mail root () linux mty itesm mx,Subject=--- ! Snort
alert! --- Hicieron un Escaneo$exec echo $0 >>
/var/log/messages
throttle 00:30:10
                                                      
                         
watchfor /EXPLOIT/
bell
echo normal
mail root () linux mty itesm mx,Subject=--- ! Snort
alert! --- Trataron de hackear$exec echo $0 >>
/var/log/messages
throttle 00:02:10

...
and more..


i wrote,, in the throttle  30 minutes,,
cuz if im not wrong means that is the rule is matched
again will ignore it like 30 minutes...

what to do ..
i had it as 1 min, but was sending alot of mails
also.. in ONE scan with nmap

#nmap -v -sS -O host.com



my best regardsss!!

thanks everybody

Bye from .mx
 

_________________________________________________________
Do You Yahoo!?
La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
http://net.yahoo.com.mx


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: