Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to Use Throttle when using Swatch for duplicate email alerts

From: "Sudhakar Gummadi" <sgummadi () sitelite com>
Date: Wed, 9 Apr 2003 11:46:20 -0700

Hi,

I am using swatch to generate email alerts from the alert file comparing
the string  /priority: 1/. In some instances the same alert is generated
numerous times like 30 to 40 emails. 

I was wondering how can I specify using (throttle) for 10 to 15 min to
ignore if it the same alert. 

Any examples would be really helpful.

Thanks
SG
-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Tuesday, April 08, 2003 4:31 PM
To: ryan stangl
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] (no subject)

On Tue, 8 Apr 2003, ryan stangl wrote:


I was hoping that someone could help me, I am running snort 1.9 on
Win2K.  I got it to run and on our little moch network I can see other
computers trying to get in, for example I can see a ping, or a sweep.

So

I assumed that it was working.  Then I wanted to see if I could get

one

of my rules to work, so I added a rules text where all the other rules
where, and gave it a .rules extension, I made just a simple one alert

tcp

<ip/24>500:2000 -> <ip/24> any.  Then in the snort config file I

placed a

# in front of all of the rules listed and added a path to the rule

file I

made.  My thinking was that I would recieve only instances that I
specified where anything coming from not my computer between port 500

and

2000 trying to go to my computer by any port, but that wasn't the

case, I

was getting everything as I was before, comming from any port.  It

seemed

A.) that my rule file wasn't working, and B.) that all the rule files
where activated again, WHY IS THIS.  If anyone can help me out here it
would be greatly appreciated.  Thanks


Either you didn't restart snort after you made the change, or you are
using a different config file than the one you edited.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: