Hi Kelly, I don't use swatch, but I would recommend you to try the ossec hids. I already posted about it on the list before (and we just released a new version), but it basically allows you to easily create very complex rules that actually works (and the install is pretty simple). For example, you may have the following rule: <rule id="12345" level="3"> <regex>authentication failed</regex> <description>example rule</description> </rule> And you can extend it to be smarter: <rule id="10000" level="10" frequency="5" timeframe="120"> <if_matched_sid>12345</if_matched_sid> </rule> So on the later case, it will only fire if it sees the rule "12345" firing 5 times within 120 seconds. In your case, you could write the following rule: <rule id="10000" level="5" frequency="10" timeframe="100"> <if_matched_regex>smtp1\.corp.* Service unavailable</if_matched_regex> <description>high number of service unavailable messages</description> </rule> We right now have rules for many applications (squid, pure-ftpd, apache, snort, sshd, su, postfix, linux kernel, nfs, pptp, pam, telnet, generic ftp, iptables, etc, etc) and most of them are pretty smart (multiple failed logins, multiple invalid logins, multiple failed HTTP gets, multiple attempts to access invalid files, etc). New version is available at: http://www.ossec.net/files/rootcheck-0.7.tar.gz Hope it helps. -- Daniel B. Cid dcid @ ( at ) ossec.net http://www.ossec.net --- Kelly Brown <kbbrown@private> escreveu: > Hello all: > > I'm trying to set up some swatch alerts that use > throttling. I can > not get it to work. > > perlcode my $sa_regex = 'smtp1\.corp.* Service > unavailable'; > watchfor /$sa_regex/ > echo > throttle 0:10:00,use=$sa_regex > > I've also tried this: throttle > threshold=5:120,repeat=no > > It also does not work. I get an alert for every > message. > > I've read in various places that Throttle.pm is > broken and in other > places that it was fixed. I'm running 3.1.1-2 from > a debian package. > > Does anybody know if this thing is supposed to work? > I don't want to > keep banging my head on it if it's known not to > work. > > Thx > -K > > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Mar 28 2006 - 21:39:53 PST