[Snort-users] How to Use Throttle when using Swatch for duplicate email alerts
sam at ...5202...
Wed Apr 9 12:52:05 EDT 2003
Well, in theory there is a command in swatch called 'throttle'.
Here's what I use:
mail=your_email at ...5892...,subject=ALERT!!
throttle = 00:01:00
Now, according to the swatch docmentation it is supposed to fire the event
every 1 minutes. I have not had any success in getting it to honor the
But, maybe your luck will be better than mine.
On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:
> I am using swatch to generate email alerts from the alert file comparing
> the string /priority: 1/. In some instances the same alert is generated
> numerous times like 30 to 40 emails.
> I was wondering how can I specify using (throttle) for 10 to 15 min to
> ignore if it the same alert.
> Any examples would be really helpful.
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Tuesday, April 08, 2003 4:31 PM
> To: ryan stangl
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] (no subject)
> On Tue, 8 Apr 2003, ryan stangl wrote:
> > I was hoping that someone could help me, I am running snort 1.9 on
> > Win2K. I got it to run and on our little moch network I can see other
> > computers trying to get in, for example I can see a ping, or a sweep.
> > I assumed that it was working. Then I wanted to see if I could get
> > of my rules to work, so I added a rules text where all the other rules
> > where, and gave it a .rules extension, I made just a simple one alert
> > <ip/24>500:2000 -> <ip/24> any. Then in the snort config file I
> placed a
> > # in front of all of the rules listed and added a path to the rule
> file I
> > made. My thinking was that I would recieve only instances that I
> > specified where anything coming from not my computer between port 500
> > 2000 trying to go to my computer by any port, but that wasn't the
> case, I
> > was getting everything as I was before, comming from any port. It
> > A.) that my rule file wasn't working, and B.) that all the rule files
> > where activated again, WHY IS THIS. If anyone can help me out here it
> > would be greatly appreciated. Thanks
> Either you didn't restart snort after you made the change, or you are
> using a different config file than the one you edited.
> Erek Adams
> "When things get weird, the weird turn pro." H.S. Thompson
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users