[Snort-users] Swatch & Snort & multi-line alerts

Carl Johnson carl.johnson at ...6517...
Fri Aug 2 14:33:03 EDT 2002


Hi,

Got a bit of a problem with Swatch and Snort.  I want to have Swatch 
email me certain Snort alerts from the 'alert' file.  These alerts in 
the file are more than one line.  So, I figured I'd use a \n\n 
input-record-separator with Swatch.

It doesn't work.

It sends me the line that matches the string, but only that one line, 
not the full blurb in the file.

Looking in the archives of this list I came across this text in a 
message from 3/14/01:

"i wanted to see the full multiline alerts so i
had to modify File::Tail in order to do so.  i am working with
the developer to incorporate changes into the next release."

This is the same problem I'm having.  The File::Tail perl module that 
Swatch uses apparently doesn't work with a \n\n seperator.  It doesn't 
seem to have been incorporated into the new release I guess.

Any ideas before I start combing through Perl?

Thanks!
Carl





More information about the Snort-users mailing list