[Snort-users] How to Use Throttle when using Swatch for duplicate email alerts

Sam Evans sam at ...5202...
Wed Apr 9 12:52:05 EDT 2003

Well, in theory there is a command in swatch called 'throttle'.

Here's what I use:

watchfor	/Something/
  mail=your_email at ...5892...,subject=ALERT!!
  throttle = 00:01:00

Now, according to the swatch docmentation it is supposed to fire the event
every 1 minutes.  I have not had any success in getting it to honor the
throttle statement.

But, maybe your luck will be better than mine.

On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:

> Hi,
> I am using swatch to generate email alerts from the alert file comparing
> the string  /priority: 1/. In some instances the same alert is generated
> numerous times like 30 to 40 emails.
> I was wondering how can I specify using (throttle) for 10 to 15 min to
> ignore if it the same alert.
> Any examples would be really helpful.
> Thanks
> SG
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Tuesday, April 08, 2003 4:31 PM
> To: ryan stangl
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] (no subject)
> On Tue, 8 Apr 2003, ryan stangl wrote:
> > I was hoping that someone could help me, I am running snort 1.9 on
> > Win2K.  I got it to run and on our little moch network I can see other
> > computers trying to get in, for example I can see a ping, or a sweep.
> So
> > I assumed that it was working.  Then I wanted to see if I could get
> one
> > of my rules to work, so I added a rules text where all the other rules
> > where, and gave it a .rules extension, I made just a simple one alert
> tcp
> > <ip/24>500:2000 -> <ip/24> any.  Then in the snort config file I
> placed a
> > # in front of all of the rules listed and added a path to the rule
> file I
> > made.  My thinking was that I would recieve only instances that I
> > specified where anything coming from not my computer between port 500
> and
> > 2000 trying to go to my computer by any port, but that wasn't the
> case, I
> > was getting everything as I was before, comming from any port.  It
> seemed
> > A.) that my rule file wasn't working, and B.) that all the rule files
> > where activated again, WHY IS THIS.  If anyone can help me out here it
> > would be greatly appreciated.  Thanks
> Either you didn't restart snort after you made the change, or you are
> using a different config file than the one you edited.
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list