Swatch configuration example

#

# Swatch configuration file for Linux box

#

# Last Modified 7 April, 2000

# Lance Spitzner

#

# swatch -c /etc/swatchrc -t /var/log/messages

#



### Snort honeypot alerts from firewall

watchfor /IDS/

echo bold

mail addressess=admin,subject=— Snort IDS Alert —

exec echo $0 >> /var/log/IDS-scans

throttle 01:00 use=IDS27



watchfor /PORTSCAN DETECTED/

echo bold

mail addresses=admin,subject=— Snort Port Scan Alert —

exec echo $0 >> /var/log/IDS-scans



### DNS zone transfers

watchfor /approved AXFR/

echo bold

mail addresses=admin,subject=— Zone transfer Alert —

exec echo $0 >> /var/log/IDS-scans



#########################################################

#       EXAMPLES    #

#########################################################



### Bad login attempts

# watchfor   /failed/

#        echo bold

#        mail addressess=root,subject=Failed Authentication



### Some is sniffing!

# watchfor   /promiscuous/

#        echo bold

#        mail addressess=root,subject=Someone is sniffing the network!



### Ignore this stuff

# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/



### Kernel problems or system reboots

# watchfor   /(panic|halt|SunOS Release)/

#        echo bold

#        mail addresses=root,subject=System Panic,Halt, or Reboot!



# watchfor   /file system full/

#        echo bold

#        mail addresses=root,subject=File system Full

#        throttle 01:00



# watchfor   /su:/

#        echo bold

#        mail addresses=root,subject=Someone sued to root access

서진우

슈퍼컴퓨팅 전문 기업 클루닉스/ 상무(기술이사)/ 정보시스템감리사/ 시스존 블로그 운영자

You may also like...

4 Responses

  1. 2024년 9월 10일

    … [Trackback]

    […] Info on that Topic: nblog.syszone.co.kr/archives/3225 […]

  2. 2024년 9월 13일

    … [Trackback]

    […] Find More on that Topic: nblog.syszone.co.kr/archives/3225 […]

  3. 2024년 9월 28일

    … [Trackback]

    […] Information on that Topic: nblog.syszone.co.kr/archives/3225 […]

  4. 2024년 10월 9일

    … [Trackback]

    […] Find More Info here to that Topic: nblog.syszone.co.kr/archives/3225 […]

페이스북/트위트/구글 계정으로 댓글 가능합니다.