[Snort-users] Re: (Snort-users) swatch/snort config

Edwin Pua edwin1118 at ...125...
Wed Jan 23 04:35:20 EST 2002

    Ok, i run the swatch with no error mesg using --config-file but i can't 
still receive the alert email, though i've been seeing the alert under 
/var/log/snort/alert file... (it's weird...) do i need to put the whole 
alert path in the "/etc/swatch/swatch.conf"?

     Here is my current config.

#i put my snort-check program and recipient file under 
#/usr/local/src/snort-1.8.., since i compiled snort under #/usr/local/src/ 
(no error here whenever i run the program manually, it sends me an email)


#here's my current swatch config
watchfor /snort\[/
exec=/usr/local/src/snort-1.8.3/snort-check $0
mail=edwin at ...4648... #just testing this line

### running both swatch and snort ###
then i run first the swatch before the snort program:

]swatch --config-file /etc/swatch/swatch.conf

]./snort -b -A fast -c snort.conf

then i did a simulation test via port scanning to my snort box to create 
alert files and i saw the real time alert logs in my snort box using "tail 
-f /var/log/snort/alert  but i wasnt able to receive any email based from my 
swatch.conf, what else do i need to check?

thanx in advance...


>From: <sandro.poppi at ...3316...>
> >
> >   but i got an error mesg when i tried to run /usr/bin/swatch.
> >
> >        swatch: cannot read /root/.swatchrc
> >        swatch: using default configuration of:
> >                   watchfor = /.*/
> >                   echo = random
> >
>you should use the command line option --config-file 
>Take a look on the snortd script I wrote.
> >   btw, what is the purpose of swatch_old2newrc? is this the
> > program that
> > runs the swatch.conf?

