[Snort-users] anyone experience "throttle" issues with Swatch for Snort?

Mitchell, Jason jason.mitchell at ...12132...
Thu Jul 15 15:15:00 EDT 2004


I have the same problem with swatch 3.1.  Moreover, trying to use threshold
as an alternative dies with an "Undefined subroutine &main::threshold" error
as soon as it sees a match.

Anyone have any ideas?  Or could point me to some decent documentation on
swatch?

Thanks!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason Truong
Sent: Friday, July 02, 2004 1:38 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] anyone experience "throttle" issues with Swatch for
Snort?

Hello,

I'm running snort 2.13 outputting to mysql and syslog which works get.  I
have setup swatch 3.1 to send me email alerts in real time .... I'm assuming
lot of people are doing the same. (if not with swatch, with some other
application like SEC)

However, I'm having issues with the Throttle command.  It doesn't seem to
work at all.  I understand this is the snort mailing list but there is
nothing I can find on the swatch homepage under the messages forum.

Here's an example:

watchfor /.*GNUTella/
        throttle 00:30:00,use=regex
        mail blah at ...4651...,Subject=Snort Alert - GNUTella traffic

I want to get an email for GNUTella alerts every 30 minuets....instead a get
a whole flurry of them.
Is this a known bug in swatch and is everyone either:

1. ignoring it and does not mind the flurry of emails 
2. using an older version of swatch which may have been patched
3. going with another application (ie SEC - simple event correlator
http://simple-evcorr.sourceforge.net/)

Just wanted to know what the communtiy is using for real time email alerts.
Thanks,


Jason Truong
Plumtree Software
email: jason.truong at ...10396...
(415) 399-7006




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and/or privileged information protected by law. If you are not the intended recipient, you may not use, copy, or distribute this e-mail message or its attachments. If you believe you have received this e-mail message in error, please contact the sender by reply e-mail and destroy all copies of the original message. 




More information about the Snort-users mailing list