Installing and Configuring Swatch

Problem

You would like to use Swatch to monitor your logfiles.

Solution

Install Swatch by using the following standard method of installing Perl modules:

[root@localhost root]# tar zxvf swatch-3.1.tar.gz [root@localhost root]# cd swatch-3.1 [root@localhost swatch-3.1]# perl Makefile.PL [root@localhost swatch-3.1]# make [root@localhost swatch-3.1]# make test [root@localhost swatch-3.1]# make install [root@localhost swatch-3.1]# make realclean

Next, you can test that it is working by running both Snort and Swatch:

[root@localhost snort-2.1.3]# snort -l /var/log/snort -c ./etc/snort.conf [root@localhost root]# swatch -t /var/log/snort/alert swatch: cannot read /root/.swatchrc swatch: using default configuration of: watchfor = /.*/ echo *** swatch version 3.1 (pid:20771) started at Fri Jul 2 07:20:46 EDT 2004 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 07/02-07:21:01.673346 192.168.206.129 -> 192.168.100.5 ICMP TTL:37 TOS:0x0 ID:42715 IpLen:20 DgmLen:28 Type:8 Code:0 ID:56574 Seq:29086 ECHO [Xref => http://www.whitehats.com/info/IDS162]

 

Discussion

Swatch is known as the Simple Watcher of logfiles. It is a Perl program that monitors Snort alerts and creates automatic responses. Swatch can generate a system bell, print output to the screen, send an email, and run a script to perform other actions. These actions can be configured in the /.swatchrc file, such as the following:

watchfor /something_to_watch_for/ bell echo normal mail addresses=yourmail@youraddress.com,subject=Snort Alert! exec some_script

The /.swatchrc file can have multiple instances of the watchfor statement to watch for a variety of alerts and then initiate the appropriate actions.

Swatch has dependencies on four other Perl modules: Date::Calc, Date::Parse, File::Tail, and Time::HiRes. On RedHat 9, we had to install the following three dependencies:

[root@localhost root]# tar zxvf Date-Calc-5.3.tar.gz [root@localhost root]# cd Date-Calc-5.3 [root@localhost Date-Calc-5.3]# perl Makefile.PL [root@localhost Date-Calc-5.3]# make [root@localhost Date-Calc-5.3]# make test [root@localhost Date-Calc-5.3]# make install [root@localhost Date-Calc-5.3]# make realclean [root@localhost root]# tar zxvf Time-HiRes-1.59.tar.gz [root@localhost Time-HiRes-1.59]# LC_ALL=C; export LC_ALL [root@localhost Time-HiRes-1.59]# perl Makefile.PL [root@localhost Time-HiRes-1.59]# make [root@localhost Time-HiRes-1.59]# make test [root@localhost Time-HiRes-1.59]# make install [root@localhost Time-HiRes-1.59]# make realclean [root@localhost root]# tar zxvf TimeDate-1.16.tar.gz [root@localhost root]# cd TimeDate-1.16 [root@localhost TimeDate-1.16]# perl Makefile.PL [root@localhost TimeDate-1.16]# make [root@localhost TimeDate-1.16]# make test [root@localhost TimeDate-1.16]# make install [root@localhost TimeDate-1.16]# make realclean

If you also need File::Tail, you can install it the same way by downloading and installing the ftp://cpan.cse.msu.edu/modules/by-module/File/File-Tail-0.98.tar.gz file. You can download Perl modules from ftp://cpan.cse.msu.edu/modules/by-module and various other CPAN mirror sites.

To test the Swatch installation, first run Snort in NIDS mode to make sure it is generating alert messages. Then start Swatch with the target file of /var/log/snort/alert, or wherever your alerts that you would like to monitor are being logged. Next, run some event traffic such as an Nmap scan, and you should see the alerts showing on the screen. Notice that the example is just using the default configuration; you can configure the /root/.swatchrc file to monitor for specific keywords and generate various types of actions.

See Also

http://swatch.sourceforge.net

ftp://cpan.cse.msu.edu/modules/by-module

Installing and Configuring Barnyard

Категории