Hey who use SWATCH!?? when there is an scan, i get too many mails on root () domain com

[soldier Mx <soldi3rmx () yahoo com mx>]

yes...

when i scan my system or somebody does...
i  get like 15 mails of the scan..
and i just want ONE mail..

here is my configuration .swatchrc file..

watchfor /spp_portscan/
bell
echo normal
mail root () linux mty itesm mx,Subject=--- ! Snort
alert! --- Hicieron un Escaneo$exec echo $0 >>
/var/log/messages
throttle 00:30:10
                                                      
                         
watchfor /EXPLOIT/
bell
echo normal
mail root () linux mty itesm mx,Subject=--- ! Snort
alert! --- Trataron de hackear$exec echo $0 >>
/var/log/messages
throttle 00:02:10

...
and more..


i wrote,, in the throttle  30 minutes,,
cuz if im not wrong means that is the rule is matched
again will ignore it like 30 minutes...

what to do ..
i had it as 1 min, but was sending alot of mails
also.. in ONE scan with nmap

#nmap -v -sS -O host.com



my best regardsss!!

thanks everybody

Bye from .mx
 

_________________________________________________________
Do You Yahoo!?
La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. http://net.yahoo.com.mx


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users