[Snort-users] How to Use Throttle when using Swatch for duplicate email alerts

Sudhakar Gummadi sgummadi at ...8733...
Wed Apr 9 11:47:04 EDT 2003


Hi,

I am using swatch to generate email alerts from the alert file comparing
the string  /priority: 1/. In some instances the same alert is generated
numerous times like 30 to 40 emails. 

I was wondering how can I specify using (throttle) for 10 to 15 min to
ignore if it the same alert. 

Any examples would be really helpful.

Thanks
SG
-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Tuesday, April 08, 2003 4:31 PM
To: ryan stangl
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] (no subject)

On Tue, 8 Apr 2003, ryan stangl wrote:

> I was hoping that someone could help me, I am running snort 1.9 on
> Win2K.  I got it to run and on our little moch network I can see other
> computers trying to get in, for example I can see a ping, or a sweep.
So
> I assumed that it was working.  Then I wanted to see if I could get
one
> of my rules to work, so I added a rules text where all the other rules
> where, and gave it a .rules extension, I made just a simple one alert
tcp
> <ip/24>500:2000 -> <ip/24> any.  Then in the snort config file I
placed a
> # in front of all of the rules listed and added a path to the rule
file I
> made.  My thinking was that I would recieve only instances that I
> specified where anything coming from not my computer between port 500
and
> 2000 trying to go to my computer by any port, but that wasn't the
case, I
> was getting everything as I was before, comming from any port.  It
seemed
> A.) that my rule file wasn't working, and B.) that all the rule files
> where activated again, WHY IS THIS.  If anyone can help me out here it
> would be greatly appreciated.  Thanks

Either you didn't restart snort after you made the change, or you are
using a different config file than the one you edited.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030409/6789c9bf/attachment.html>


More information about the Snort-users mailing list