Snort mailing list archives

RE: How to Use Throttle when using Swatch for duplicate email alerts

From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Thu, 10 Apr 2003 09:13:06 -0500

First, make sure that you're read the swatch documentation (man swatch).

Next, make sure that you're properly matching the event you want to
watch with the regex that you specify.  It sounds like you are, since
you're getting the alerts.

Now, you have to consider exactly _what_ swatch is using when deciding
whether to throttle an event or not.  By default, swatch uses the
_whole_ message (i.e the whole line that triggered the alert).  If
_ANYTHING_ is different from one line to the next (like a timestamp, an
event identifier, an ip address, a port number, etc.) then the events
are dissimilar and will NOT be throttled.

However, you can also specify the use=regex option in your throttle
statement, which causes swatch to only use the regex match in
determining whether to throttle an event.

Here's a "for instance".  Lets say that I have somebody trying to brute
force their way into my system.  (Here my "brute forcing" is me
attempting to log into my syslog server incorrectly a couple of
times...)

Apr 10 08:59:27 ns-syslog sshd(pam_unix)[25635]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1  user=root
Apr 10 08:59:36 ns-syslog sshd(pam_unix)[25635]: 2 more authentication
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1
user=root
Apr 10 08:59:38 ns-syslog sshd(pam_unix)[25637]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1  user=root
Apr 10 08:59:46 ns-syslog sshd(pam_unix)[25637]: 2 more authentication
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1
user=root


If I were to use this directive in swatch.conf...

watchfor /authentication failure/
        throttle 10:00
        exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f
swatch@ns-syslog andrew.hutchinson () vanderbilt edu

...I would get 4 messages emailed to me.  Look at field number 3 (the
timestamp).  Different timestamps.  Different events.  No throttling.


However, if I use THIS directive in swatch.conf...

watchfor /authentication failure/
        throttle 10:00,use=regex
        exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f
swatch@ns-syslog andrew.hutchinson () vanderbilt edu

... I get one email message mailed to me.  Here it is:

# ==========
To: andrew.hutchinson () vanderbilt edu
From: swatch () ns-syslog mc vanderbilt edu
Subject: 

At Apr 10 08:59:27 Login Failure << Apr 10 08:59:27 ns-syslog
sshd\(pam_unix\)[25635]: authentication failure\; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost=10.1.1.1  user=root >>
# ==========


Because I specified "use=regex", the only thing that is compared is
"authentication failure", and thus I'm only emailed once - even if
somebody tries to log in 10,000 times in 10 minutes.  However, when I
get an email re: an auth failure to a box that very few people should be
logging into, I generally react pretty quickly.  Especially if I don't
recognize the IP address.

Hope that this helps. 

Andrew


Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Wednesday, April 09, 2003 3:27 PM
To: Sudhakar Gummadi
Cc: Erek Adams; snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to Use Throttle when using 
Swatch for duplicate email alerts


On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:

I am using swatch to generate email alerts from the alert

file comparing

the string  /priority: 1/. In some instances the same alert

is generated

numerous times like 30 to 40 emails.

I was wondering how can I specify using (throttle) for 10

to 15 min to

ignore if it the same alert.

Any examples would be really helpful.

http://www.theadamsfamily.net/~erek/snort/snort-swatch.txt

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The
debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost
and 
disoriented. TotalView can help you find your way. Available on major
UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to Use Throttle when using Swatch for duplicate email alerts Sudhakar Gummadi (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Sam Evans (Apr 09)
- Re: How to Use Throttle when using Swatch for duplicate email alerts Erek Adams (Apr 09)
- <Possible follow-ups>
- RE: How to Use Throttle when using Swatch for duplicate email alerts Hutchinson, Andrew (Apr 10)