Snort mailing list archives
RE: Hey who use SWATCH!?? when there is an scan, I get too many mails on root () domain com
From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Thu, 15 Jan 2004 08:44:25 -0500
I wrote this script as an alternative to swatch. It fires off anytime you set it to using cron, but will only report through email anything new each hour so you do not get blasted with redundant information. You can find the information here: http://www.sun.com/bigadmin/scripts/submittedScripts/auth-crit.sh.txt I use it for logon violations to the system and any other alerts that you would want an email alert for but you can key into any system message from any log file you like. Best regards, Michael D. Peters michael.peters () lazarusalliance com -----Original Message----- From: soldier Mx [mailto:soldi3rmx () yahoo com mx] Sent: Wednesday, January 14, 2004 7:48 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Hey who use SWATCH!?? when there is an scan, i get too many mails on root () domain com yes... when i scan my system or somebody does... i get like 15 mails of the scan.. and i just want ONE mail.. here is my configuration .swatchrc file.. watchfor /spp_portscan/ bell echo normal mail root () linux mty itesm mx,Subject=--- ! Snort alert! --- Hicieron un Escaneo$exec echo $0 >> /var/log/messages throttle 00:30:10 watchfor /EXPLOIT/ bell echo normal mail root () linux mty itesm mx,Subject=--- ! Snort alert! --- Trataron de hackear$exec echo $0 >> /var/log/messages throttle 00:02:10 ... and more.. i wrote,, in the throttle 30 minutes,, cuz if im not wrong means that is the rule is matched again will ignore it like 30 minutes... what to do .. i had it as 1 min, but was sending alot of mails also.. in ONE scan with nmap #nmap -v -sS -O host.com my best regardsss!! thanks everybody Bye from .mx _________________________________________________________ Do You Yahoo!? La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. http://net.yahoo.com.mx ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Hey who use SWATCH!?? when there is an scan, I get too many mails on root () domain com Peters, Michael D. (Jan 15)