[Snort-users] Swatch & Snort & multi-line alerts
carl.johnson at ...6517...
Fri Aug 2 14:33:03 EDT 2002
Got a bit of a problem with Swatch and Snort. I want to have Swatch
email me certain Snort alerts from the 'alert' file. These alerts in
the file are more than one line. So, I figured I'd use a \n\n
input-record-separator with Swatch.
It doesn't work.
It sends me the line that matches the string, but only that one line,
not the full blurb in the file.
Looking in the archives of this list I came across this text in a
message from 3/14/01:
"i wanted to see the full multiline alerts so i
had to modify File::Tail in order to do so. i am working with
the developer to incorporate changes into the next release."
This is the same problem I'm having. The File::Tail perl module that
Swatch uses apparently doesn't work with a \n\n seperator. It doesn't
seem to have been incorporated into the new release I guess.
Any ideas before I start combing through Perl?
More information about the Snort-users