Configuring Swatch

Swatch won't run without its configuration file. When a user runs Swatch, it looks in that user's home directory for a .swatchrc configuration file. You can override this action on the command line with the -c switch.

The .swatchrc file is relatively straightforward. Its format consists of a string to watch out for, followed by an action to take should it see that string.

If you prefer to hack existing files rather than create them from scratch, you're in good company. Check out the examples / directory from within your Swatch source code for some great example swatchrc files.

To tell Swatch what to watch for, use the watchfor command. The watchfor statement is not only a good idea, it's required for Swatch to run. We use syslog-ng to watch out for ATTACK-RESPONSES in Snort logs; you can tell Swatch to do the same with this line:

watchfor /ATTACK-RESPONSES/

Seems easy enough, right? You don't have to put the exact text of what to watch out for in this command, although it's the easiest way to go. You can put any regular expression in this place, and Swatch will watch for any string that matches it. An excellent site for all things Perl, including handy tutorials on writing regular expressions, is http://www.perlmonks.org.

You can also tell Swatch to ignore certain text strings or regular expressions. If you've got a Windows system that has the messenger service turned off, you may want to ignore NETBIOS DCERPC Messenger Service buffer overflow messages (they wouldn't apply to your system), but you may want to watch for NETBIOS DCERPC ISystemActivator bind attemptmes-sages. You could apply this selective watching bycombining an ignore statement and a watchfor statement:

ignore /Messenger watchfor /NETBIOS

Service/ DCERPC/

After you tell Swatch what to watch out for, you need to tell it what to do when it sees something it's been watching for. Table 11-5 lists some of the more useful actions that Swatch can take when it catches something in the logs.

Table 11-5

Swatch Actions

Action

Description

echo [modes]

Sends the text of the matched line to standard output. Use to send data to the console from which Swatch was launched or to populate the text of an e-mail message. For your Technicolor life, you can specify a color for the modes option to have your text echoed in that color in your console.

bell [n]

Sounds the system bell when a log message is matched. Put a number n after this action to make your system beep n times.

Action

Description exec command

Use this action to execute a command when text is matched. Analogous to the program destination driver in syslog-ng, except that Swatch will execute the program and then terminate it when done. To use elements of the log entry itself as arguments to the executed command, use $n to use the nth field of the log entry. To use the entire entry, use $* or $0.

mail [addresses= [email protected] com:[email protected] someotherdomain.net], [subject=your catchy email subject here]

Sends alerts via e-mail. If you want e-mail to go to a whole bunch of people, consider setting up a list in your /etc/aliases file. Swatch uses Sendmail, so make sure that you've got either a working Sendmail install or a suitable SMTP mailer package that actually replaces the sendmail command.

pipe command [,keep_open]

Makes Swatch act like the syslog-ng program driver: It will pipe matched text to the standard input of a command. If you use the keep_open option, the pipe stays open until a different pipe action is run or Swatch exits.

Uses the Unix write command to send matched log entries to a user's console. Useful as long as the user is logged in.

throttle hours: minutes:seconds

Keeps Swatch from going crazy when your logs are going crazy. The throttle action limits the number of times a specific action is run for a specific matched pattern. List the time interval to keep Swatch from reacting to a matched message for the length of that interval.

when=day_of_week: hour_of_day

Limits the execution of all the preceding options to certain times. If you're watching for Priority: 1 alerts and using the mail action to send you e-mail accordingly, maybe you want to have a separate rule that sends e-mail to your pager after office hours instead of an unmanned inbox.

The following sample .swatchrc file points out some of the more useful actions and options when running Swatch on your Snort logs. Note how the colon after Priority has a backslash in front of it; without this slash, your colon would be considered part of your regular expression incantation and not part of the pattern you're trying to match.

watchfor /Priority\: 1/ echo mail addresses=admin\@yourdomain.com,subject=Snort_Alert,when=2-6:8-17

# Sends regular email to your admin during work hours watchfor /Priority\: 1/ echo mail addresses=admin_pager\@yourdomain.com,subject=Snort_Alert,when=1-7:1-24 throttle 0:10:0

# Sends pager email to your admin at all hours. The throttle option will only react to one alert every 10 minutes.

watchfor /Priority\: 2/ echo bell 5

# Your coworkers will *love* this one. Causes your terminal receive the log entry and beep 5 times when a Priority: 2 Snort alert is detected.

watchfor /su\:/ echo=red

# Red Alert! This will send an alert to your terminal when someone runs su

This sample is just a taste of what you can do with Swatch watching your log files. For more information, check out the Swatch man page by typing "man swatch". Like most powerful Unix tools, Swatch gives you some basic functionality and lets you decide how to use it. So be creative and experiment!

Was this article helpful?

0 0

Post a comment