Swatch configuration example
#
# Swatch configuration file for Linux box
#
# Last Modified 7 April, 2000
# Lance Spitzner
#
# swatch -c /etc/swatchrc -t /var/log/messages
#
### Snort honeypot alerts from firewall
watchfor /IDS/
echo bold
mail addressess=admin,subject=— Snort IDS Alert —
exec echo $0 >> /var/log/IDS-scans
throttle 01:00 use=IDS27
watchfor /PORTSCAN DETECTED/
echo bold
mail addresses=admin,subject=— Snort Port Scan Alert —
exec echo $0 >> /var/log/IDS-scans
### DNS zone transfers
watchfor /approved AXFR/
echo bold
mail addresses=admin,subject=— Zone transfer Alert —
exec echo $0 >> /var/log/IDS-scans
#########################################################
# EXAMPLES #
#########################################################
### Bad login attempts
# watchfor /failed/
# echo bold
# mail addressess=root,subject=Failed Authentication
### Some is sniffing!
# watchfor /promiscuous/
# echo bold
# mail addressess=root,subject=Someone is sniffing the network!
### Ignore this stuff
# ignore /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/
### Kernel problems or system reboots
# watchfor /(panic|halt|SunOS Release)/
# echo bold
# mail addresses=root,subject=System Panic,Halt, or Reboot!
# watchfor /file system full/
# echo bold
# mail addresses=root,subject=File system Full
# throttle 01:00
# watchfor /su:/
# echo bold
# mail addresses=root,subject=Someone sued to root access