> -----Original Message----- > From: Jeremy Mates [mailto:jmatesat_private] > > * Crow, Owen <Owen_Crowat_private> [2003-01-07T14:52-0800]: > > Which version of swatch are you using and have you applied > any patches? > > No patches I know of. > > $ swatch --version > This is swatch version 3.0.4 > Built on 11/5/2001 > Built by E. Todd Atkins <Todd.Atkinsat_private> > > $ openssl md5 < /usr/bin/swatch > 1e3d115fdbad9f62269b0d80408ba6d5 My copy matches both of these. > > I've tried using swatch 3.0.4 with and without the patches at > > http://plaza8.mbn.or.jp/~yswww/myself/swatch-en.html, but I can't > > get throttle to work as advertised. It stops floods of messages, > > but after the throttle timeout, it will not show more messages of > > the same type, ever. > > Hmmm, may have never noticed that behaviour. Testing... > > Feeding a generic fatal error to trigger the swatch daemon watching > the "everything" log over the last few minutes has resulted in three > messages thus far, the initial report plus two "X messages in the last > 10 minutes: blah." > [snip] I'm still having the problem which I will show below. My swatchrc file: [root@hostname root]# cat swatchrc-20030108 watchfor = /\[\*\*\]/ echo random mail addresses=address\@com.com,subject=NIDS throttle=00:30,use=regex Since I started swatch this morning, this is all I have received: [root@hostname root]# date;/usr/bin/swatch --config-file swatchrc-20030108 --tail-file /var/log/snort/alert.fast Fri Jan 10 08:51:01 CST 2003 *** swatch-3.0.4 (pid:7876) started at Fri Jan 10 08:51:02 CST 2003 01/10/03-08:28:49.479388 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349 And I have received one email message: 01/10/03-08:28:49.479388 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349 Both of the above come from the last message in the file since swatch appears to start tailing with a "tail -1f". If I grep the log file for strings matching "[Priority: 1]" since the start time of swatch, there are two lines: [root@hostname snort]# tail -1f alert.fast 01/10/03-08:28:49.479388 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349 01/10/03-10:18:33.495630 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 3.3.3.3:995 01/10/03-10:26:54.709144 [**] [1:688:4] MS-SQL sa login failed [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 4.4.4.4:1433 -> 6.6.6.6:1079 01/10/03-10:29:05.787456 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 5.5.5.5:1008 01/10/03-10:31:00.325988 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349 01/10/03-10:43:28.776502 [**] [1:688:4] MS-SQL sa login failed [**] [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP} 4.4.4.4:1433 -> 6.6.6.6:1090 By my count, I should have received an echo and an email for each one of these messages in the logs (6 total) because they occurred more than 30 seconds apart. If I'm mistaken in what "00:30" means, and it's 30 minutes instead, I should have received about 3 or 4 of each. Am I missing some syntax issue or something? I am running on a fully patched Redhat 7.2 system. Thanks, Owen Crow Systems Programmer (Unix) BMC Software, Inc. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 11:56:14 PST