Swatch configuration example

#

# Swatch configuration file for Linux box

#

# Last Modified 7 April, 2000

# Lance Spitzner

#

# swatch -c /etc/swatchrc -t /var/log/messages

#

### Snort honeypot alerts from firewall

watchfor /IDS/

echo bold

mail addressess=admin,subject=— Snort IDS Alert —

exec echo $0 >> /var/log/IDS-scans

throttle 01:00 use=IDS27

watchfor /PORTSCAN DETECTED/

echo bold

mail addresses=admin,subject=— Snort Port Scan Alert —

exec echo $0 >> /var/log/IDS-scans

### DNS zone transfers

watchfor /approved AXFR/

echo bold

mail addresses=admin,subject=— Zone transfer Alert —

exec echo $0 >> /var/log/IDS-scans

#########################################################

#       EXAMPLES    #

#########################################################

### Bad login attempts

# watchfor   /failed/

#        echo bold

#        mail addressess=root,subject=Failed Authentication

### Some is sniffing!

# watchfor   /promiscuous/

#        echo bold

#        mail addressess=root,subject=Someone is sniffing the network!

### Ignore this stuff

# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/

### Kernel problems or system reboots

# watchfor   /(panic|halt|SunOS Release)/

#        echo bold

#        mail addresses=root,subject=System Panic,Halt, or Reboot!

# watchfor   /file system full/

#        echo bold

#        mail addresses=root,subject=File system Full

#        throttle 01:00

# watchfor   /su:/

#        echo bold

#        mail addresses=root,subject=Someone sued to root access