Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: swatch error

From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Thu, 28 Nov 2002 14:33:59 -0300
-----Mensaje original-----
De: Todd Holloway [mailto:todd () duckland org]

try throttle 01:00 the man page shows an example using this format.



Thank you Todd, we have tried [because we´ve RTFM ;)] but it doesn´t work,
same error message.
We have tried many variants and look into the perl scripts and packages with
no results, so if anybody has an idea, please tell me.

PABLO

 

On Wed, Nov 27, 2002 at 12:28:00PM -0300, Petriz, Pablo wrote:

Hello list!

This is a bit out of the scope of this list, but i couldn?t 

find help in

swatch lists and i know that many snorters use swatch.

I?m having problems using the throttle option. 
This option (as i understand) makes swatch send only 1 

alert when more than

1 similar alerts happen between
a given time lapse, but i receive an error and it doesn?t work.

Error:
Date::Calc::Delta_DHMS(): not a valid time at 

/root/.swatch_script.4390 line

227.

These are some lines near 227 in the swach_script.4390:
if (exists $Msg_Rec{$key} and defined $Msg_Rec{$key}->{ymdhms}) {
    my $passed = 1;
    $Msg_Rec{$key}->{count}++;
    if ($ymdhms[1] > $Msg_Rec{$key}->{ymdhms}[1]) { $ymdhms[0]--; }
    my @delta_dhms = 

Delta_DHMS(@{$Msg_Rec{$key}->{ymdhms}}, @ymdhms);  //

line 227
    foreach my $i (0..$#min_dhms_delta) {
      $passed = 0 if ($delta_dhms[$i] < $min_dhms_delta[$i]);
      last unless ($delta_dhms[$i] == $min_dhms_delta[$i]);
    }

This is my conf file:
watchfor /\[\*\*\]/ 
         echo
         mail=mte@xxxx,subject=--- Alertas de Snort! --- 
         mail=pep@xxxx,subject=--- Alertas de Snort! --- 
throttle 00:01:00 


Any help will be appreciated. TIA!


PABLO



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: