- Change language to:
#
# Swatch configuration file for Linux box
#
# Last Modified 7 April, 2000
# Lance Spitzner
#
# swatch -c /etc/swatchrc -t /var/log/messages
#### Snort honeypot alerts from firewall
watchfor /IDS/
echo bold
mail addressess=admin,subject=— Snort IDS Alert —
exec echo $0 >> /var/log/IDS-scans
throttle 01:00 use=IDS27watchfor /PORTSCAN DETECTED/
echo bold
mail addresses=admin,subject=— Snort Port Scan Alert —
exec echo $0 >> /var/log/IDS-scans### DNS zone transfers
watchfor /approved AXFR/
echo bold
mail addresses=admin,subject=— Zone transfer Alert —
exec echo $0 >> /var/log/IDS-scans#########################################################
# EXAMPLES #
############################################################ Bad login attempts
# watchfor /failed/
# echo bold
# mail addressess=root,subject=Failed Authentication### Some is sniffing!
# watchfor /promiscuous/
# echo bold
# mail addressess=root,subject=Someone is sniffing the network!### Ignore this stuff
# ignore /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/### Kernel problems or system reboots
# watchfor /(panic|halt|SunOS Release)/
# echo bold
# mail addresses=root,subject=System Panic,Halt, or Reboot!# watchfor /file system full/
# echo bold
# mail addresses=root,subject=File system Full
# throttle 01:00# watchfor /su:/
# echo bold
# mail addresses=root,subject=Someone sued to root access