[Snort-users] anyone experience "throttle" issues with Swatch for Snort?

Jason Truong Jason.Truong at ...10396...
Wed Jul 14 12:09:26 EDT 2004


I'm running snort 2.13 outputting to mysql and syslog which works get.  I have setup swatch 3.1 to send me email alerts in real time .... I'm assuming lot of people are doing the same. (if not with swatch, with some other application like SEC)

However, I'm having issues with the Throttle command.  It doesn't seem to work at all.  I understand this is the snort mailing list but there is nothing I can find on the swatch homepage under the messages forum.

Here's an example:

watchfor /.*GNUTella/
        throttle 00:30:00,use=regex
        mail blah at ...4651...,Subject=Snort Alert - GNUTella traffic

I want to get an email for GNUTella alerts every 30 minuets....instead a get a whole flurry of them.
Is this a known bug in swatch and is everyone either:

1. ignoring it and does not mind the flurry of emails 
2. using an older version of swatch which may have been patched
3. going with another application (ie SEC - simple event correlator http://simple-evcorr.sourceforge.net/)

Just wanted to know what the communtiy is using for real time email alerts.

Jason Truong
Plumtree Software
email: jason.truong at ...10396...
(415) 399-7006

More information about the Snort-users mailing list