Snort mailing list archives
RE: How to Use Throttle when using Swatch for duplicate email alerts
From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Thu, 10 Apr 2003 09:13:06 -0500
First, make sure that you're read the swatch documentation (man swatch). Next, make sure that you're properly matching the event you want to watch with the regex that you specify. It sounds like you are, since you're getting the alerts. Now, you have to consider exactly _what_ swatch is using when deciding whether to throttle an event or not. By default, swatch uses the _whole_ message (i.e the whole line that triggered the alert). If _ANYTHING_ is different from one line to the next (like a timestamp, an event identifier, an ip address, a port number, etc.) then the events are dissimilar and will NOT be throttled. However, you can also specify the use=regex option in your throttle statement, which causes swatch to only use the regex match in determining whether to throttle an event. Here's a "for instance". Lets say that I have somebody trying to brute force their way into my system. (Here my "brute forcing" is me attempting to log into my syslog server incorrectly a couple of times...) Apr 10 08:59:27 ns-syslog sshd(pam_unix)[25635]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1 user=root Apr 10 08:59:36 ns-syslog sshd(pam_unix)[25635]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1 user=root Apr 10 08:59:38 ns-syslog sshd(pam_unix)[25637]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1 user=root Apr 10 08:59:46 ns-syslog sshd(pam_unix)[25637]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1 user=root If I were to use this directive in swatch.conf... watchfor /authentication failure/ throttle 10:00 exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f swatch@ns-syslog andrew.hutchinson () vanderbilt edu ...I would get 4 messages emailed to me. Look at field number 3 (the timestamp). Different timestamps. Different events. No throttling. However, if I use THIS directive in swatch.conf... watchfor /authentication failure/ throttle 10:00,use=regex exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f swatch@ns-syslog andrew.hutchinson () vanderbilt edu ... I get one email message mailed to me. Here it is: # ========== To: andrew.hutchinson () vanderbilt edu From: swatch () ns-syslog mc vanderbilt edu Subject: At Apr 10 08:59:27 Login Failure << Apr 10 08:59:27 ns-syslog sshd\(pam_unix\)[25635]: authentication failure\; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1 user=root >> # ========== Because I specified "use=regex", the only thing that is compared is "authentication failure", and thus I'm only emailed once - even if somebody tries to log in 10,000 times in 10 minutes. However, when I get an email re: an auth failure to a box that very few people should be logging into, I generally react pretty quickly. Especially if I don't recognize the IP address. Hope that this helps. Andrew Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856
-----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, April 09, 2003 3:27 PM To: Sudhakar Gummadi Cc: Erek Adams; snort-users () lists sourceforge net Subject: Re: [Snort-users] How to Use Throttle when using Swatch for duplicate email alerts On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:I am using swatch to generate email alerts from the alertfile comparingthe string /priority: 1/. In some instances the same alertis generatednumerous times like 30 to 40 emails. I was wondering how can I specify using (throttle) for 10to 15 min toignore if it the same alert. Any examples would be really helpful.
http://www.theadamsfamily.net/~erek/snort/snort-swatch.txt Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to Use Throttle when using Swatch for duplicate email alerts Sudhakar Gummadi (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Sam Evans (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Erek Adams (Apr 09)
- <Possible follow-ups>
- RE: How to Use Throttle when using Swatch for duplicate email alerts Hutchinson, Andrew (Apr 10)