Alarms in 2.0

Two questions regarding Alarms in 2.0.

First, I created a signature and wanted to reduce the frequency that it
fires. Does anyone have sample code for SIG_ALARM_PER_ORIG or some
other way to send out a single alarm per source IP?

Second, I configured the MailAlarmsTo setting, but the Alarms are still
going to the MailTo (bromessage@) address. I also tried setting
MailAlarms = True. What am I doing wrong?

Thanks,

Tyler

It looks like you are supposed to do something like

redef Signatures::actions += [ ["sig_id"] = SIG_ALARM_PER_ORIG ];

Two questions regarding Alarms in 2.0.

First, I created a signature and wanted to reduce the frequency that it
fires. Does anyone have sample code for SIG_ALARM_PER_ORIG or some
other way to send out a single alarm per source IP?

It looks like you are supposed to do something like

redef Signatures::actions += [ ["sig_id"] = SIG_ALARM_PER_ORIG ];

This worked once I added the "Signatures" module to the SIG_ALARM_PER_ORIG.

redef Signatures::actions += [ ["sig_id"] = Signatures::SIG_ALARM_PER_ORIG ];

-will

Yes, works well when you don't misspell the sig_id. :slight_smile: Thanks Justin!

Any ideas on how to make the MailAlarmsTo work?

Tyler