[Snort-users] Does anyone use swatch?

Will Metcalf william.metcalf at ...11827...
Sun Apr 25 18:33:33 EDT 2010


Ya... Use something like barnyard alert full output with a custom
record separator. so something like...

swatch -c /etc/swatchrc
--input-record-separator="=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n"
--read-pipe="tail -f /var/log/snort/snort-full" --daemon

Regards,

Will

On Sun, Apr 25, 2010 at 5:16 PM, ccie 6862 <ccie6862 at ...131...> wrote:
> I've used swatch for some time, and I've decided to use it to alert me on the snort logs. What I'd like to do is to append some of the interesting part of the snort alert into the payload of the email. Has anyone done this? I did post this to the swatch users group, but since there has only been around 5 postings in the past 5 years or so, I don't expect an answer.
>
> Thanks
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list