[Snort-users] How to Use Throttle when using Swatch for duplicate email alerts

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Thu Apr 10 07:14:10 EDT 2003


First, make sure that you're read the swatch documentation (man swatch).

Next, make sure that you're properly matching the event you want to
watch with the regex that you specify.  It sounds like you are, since
you're getting the alerts.

Now, you have to consider exactly _what_ swatch is using when deciding
whether to throttle an event or not.  By default, swatch uses the
_whole_ message (i.e the whole line that triggered the alert).  If
_ANYTHING_ is different from one line to the next (like a timestamp, an
event identifier, an ip address, a port number, etc.) then the events
are dissimilar and will NOT be throttled.

However, you can also specify the use=regex option in your throttle
statement, which causes swatch to only use the regex match in
determining whether to throttle an event.

Here's a "for instance".  Lets say that I have somebody trying to brute
force their way into my system.  (Here my "brute forcing" is me
attempting to log into my syslog server incorrectly a couple of
times...)

Apr 10 08:59:27 ns-syslog sshd(pam_unix)[25635]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1  user=root
Apr 10 08:59:36 ns-syslog sshd(pam_unix)[25635]: 2 more authentication
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1
user=root
Apr 10 08:59:38 ns-syslog sshd(pam_unix)[25637]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1  user=root
Apr 10 08:59:46 ns-syslog sshd(pam_unix)[25637]: 2 more authentication
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.1.1.1
user=root


If I were to use this directive in swatch.conf...

watchfor /authentication failure/
        throttle 10:00
        exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f
swatch at ...8832... andrew.hutchinson at ...758...

...I would get 4 messages emailed to me.  Look at field number 3 (the
timestamp).  Different timestamps.  Different events.  No throttling.


However, if I use THIS directive in swatch.conf...

watchfor /authentication failure/
        throttle 10:00,use=regex
        exec=echo \"At $1 $2 $3 Login Failure << $0 >>\" | sendmail -f
swatch at ...8832... andrew.hutchinson at ...758...

... I get one email message mailed to me.  Here it is:

# ==========
To: andrew.hutchinson at ...758...
From: swatch at ...8833...
Subject: 

At Apr 10 08:59:27 Login Failure << Apr 10 08:59:27 ns-syslog
sshd\(pam_unix\)[25635]: authentication failure\; logname= uid=0 euid=0
tty=NODEVssh ruser= rhost=10.1.1.1  user=root >>
# ==========


Because I specified "use=regex", the only thing that is compared is
"authentication failure", and thus I'm only emailed once - even if
somebody tries to log in 10,000 times in 10 minutes.  However, when I
get an email re: an auth failure to a box that very few people should be
logging into, I generally react pretty quickly.  Especially if I don't
recognize the IP address.

Hope that this helps. 

Andrew


Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...] 
> Sent: Wednesday, April 09, 2003 3:27 PM
> To: Sudhakar Gummadi
> Cc: Erek Adams; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] How to Use Throttle when using 
> Swatch for duplicate email alerts
> 
> 
> On Wed, 9 Apr 2003, Sudhakar Gummadi wrote:
> 
> > I am using swatch to generate email alerts from the alert 
> file comparing
> > the string  /priority: 1/. In some instances the same alert 
> is generated
> > numerous times like 30 to 40 emails.
> >
> > I was wondering how can I specify using (throttle) for 10 
> to 15 min to
> > ignore if it the same alert.
> >
> > Any examples would be really helpful.
> 
http://www.theadamsfamily.net/~erek/snort/snort-swatch.txt

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The
debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost
and 
disoriented. TotalView can help you find your way. Available on major
UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list