SWATCH 
------

http://www.oit.ucsb.edu/~eta/swatch/
Freeware

Swatch - Simple WATCHer - sits in the background and monitors the system 
logs in real time for pre-defined events, by comparing new entries 
against a series of serch terms. When such events occur it will 
signal this with a pre-determined alarm, such as a particular number of 
beeps on the speaker. For example, if one was running PortSentry one could 
ask Swatch to send an e-mail whenever a line containing 'portsentry' was 
added to the system log; the moment PortSentry spotted a scan Swatch 
would pick this up and immediately send an e-mail to the system 
administrator (actually, it seems Swatch polls the logs at about 
quarter-second intervals).

The advantage of this approach is that notification is sent out almost 
immediately (before an attacker can halt sendmail, say). The down side is 
that it generates an e-mail for every matching log entry; although it is 
possible to use the 'throttle' feature to ignore further repetitions of 
an identical event within a given time, merely similar events will not be 
blocked. For example, if PortSentry detects successive scans against all 
ports from 600 to 1000, then 400 e-mail messages will be generated. [This 
is probably surmountable, but needs clever use of throttle's use regex 
option.]

Other disadvantages are that it is always active, and so may affect the 
performance of smaller systems, and also that in situations such as the 
portscanning above Swatch can be overwhelmed as events can be generated 
much faster than it can deal with them (avoid using the 'bell' in search 
rules likely to produce this).

The final problem is that Swatch depends on a config file listing the 
various search rules to apply to the log file(s), but the distribution 
doesn't even include a sample. Included below is a modified version of 
that in A. Hsiao: "Teach Yourself Linux Security Basics in 24 Hours" (Sams 
Publishing, 2001); see also the examples in the LISA93 paper on the Swatch 
webpages.

### BEGIN

watchfor /ROOT LOGIN|uid=0/
echo red
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.Root Acivity"
bell 2

watchfor /REPEATED|repeated/
echo red
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.Repeat Acivity"
bell 2

watchfor /portsentry/
echo red
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.PortSentry Alert"

watchfor /FAILED|INVALID|authentication failure|Unauthorized/
echo
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.ID issue"
bell 1

watchfor /changed by/
echo blue
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.Password Change"
bell 2

watchfor /caught signal|exiting|abnormal|aborted|restart|registered/
echo blink
mail addresses=J.Nebrensky\@brunel.ac.uk
#mail addresses=J.Nebrensky\@brunel.ac.uk, subject=".SW.Unknown"
bell 2

watchfor /kernel\:|init\:/
echo blink
mail addresses=J.Nebrensky\@brunel.ac.uk
#mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.System"
bell 2
throttle 01:00

watchfor /file system full/
echo
mail addresses=J.Nebrensky\@brunel.ac.uk,subject=".SW.FS Full"
bell 1
throttle 01:00

watchfor /LOGIN FROM/
echo

### END


Installation
------------
This section is based on Swatch 3.0.4 on RedHat 6.2 (not a full install 
of everything).

Swatch requires perl 5 and the following modules: Time::HiRes, Date::Calc, 
Date::Format, and File::Tail 

These weren't on the system, so the easiest thing was to install CPAN and 
then use that to automatically find and install the others.

Go to www.cpan.org and in the modules list find and download 
1)Test::Simple (i.e. Test-Simple-nnn.tar.gz, not the individual .pm  
files) and 2)CPAN.

Install these in turn using the instructions below (stolen from 
www.cpan.org):

### BEGIN
What To Do Once You've Downloaded A Module From The CPAN 

You have a file ending in .tar.gz (or, less often, .zip). You know there's 
a tasty module inside. There are four steps you must now take: 

       DECOMPRESS the file 
       UNPACK the file into a directory 
       BUILD the module (sometimes unnecessary) 
       INSTALL the module. 

Here's how to perform each step for each operating system. This is not a 
substitute for reading the README and INSTALL files that might have come 
with your module! 

Also note that these instructions are tailored for installing the module 
into your system's repository of Perl modules. But you can install 
modules into any directory you wish. For instance, where I say perl 
Makefile.PL, you can substitute "perl Makefile.PL PREFIX=/my/perl_directory"
to install the modules into /my/perl_directory. Then you can use the 
modules from your Perl programs with 
	use lib "/my/perl_directory/lib/site_perl"; 
or sometimes just use  
	"/my/perl_directory";. 

1.If you're on Unix,

(You can use Andreas König's CPAN module to automate the entire process, 
from DECOMPRESS through INSTALL.)

A. DECOMPRESS 

	Decompress the file with gzip -d yourmodule.tar.gz
	You can get gzip from ftp://prep.ai.mit.edu/pub/gnu. Or, you can 
	combine this step with the next to save disk space:

		gzip -dc yourmodule.tar.gz | tar -xof - 

B. UNPACK 

	Unpack the result with tar -xof yourmodule.tar 

C. BUILD 

	Go into the newly-created directory and type:

		perl Makefile.PL
		make
		make test

D. INSTALL 

	While still in that directory, type:

		make install 

	Make sure you have the appropriate permissions to install the 
	module in your Perl 5 library directory. Often, you'll need to be 
	root. 

That's all you need to do on Unix systems with dynamic linking. Most Unix 
systems have dynamic linking -- if yours doesn't, or if for another reason 
you have a statically-linked perl, and the module requires compilation, 
you'll need to build a new Perl binary that includes the module. Again, 
you'll probably need to be root.

###

As root, run CPAN - the first time you do this it will start an 
interactive session and ask about web proxies, nearest mirror sites and so 
on.

You can then download and install any modules needed by typing 
"install Module::Name" at an interactive CPAN prompt.

Install Swatch itself using the same basic UNPACK-BUILD-INSTALL process
above (double-check docs for details - it should end up in /usr/bin/).
Edit and save a config file somewhere sensible - /etc/swatch.conf seems 
popular.

You can now test it out using:
	/usr/bin/swatch -c /etc/swatch.conf --examine /var/log/messages

or use a dummy log file with known problems.

Once you are happy with the rule sets and actions, set it to watch the 
logs:
	 /usr/bin/swatch -c /etc/swatch.conf --tail /var/log/messages &

and try doing something "nasty" (e.g. just su to root in another session)
and make sure it triggers.

If you need to watch more than one log file, you'll need to start a 
separate Swatch for each file.

Start-up
--------

To load Swatch on boot-up I added 
	 /usr/bin/swatch -c /etc/swatch.conf --tail /var/log/messages &
to the end of /etc/rc.d/rc.local (i.e. before final 'fi').

Alternatively, to control Swatch automatically save the 
script below can be saved as /etc/rc.d/init.d/swatchd, then 

 /sbin/chkconfig swatchd on

will start it up and let you control it like any other service from e.g. 
linuxconf. It's a chronic bodge (doesn't track PIDs or report status, 
etc.), but then it's arguable that Swatch shouldn't be easy to control...


### BEGIN

#!/bin/sh
#
# chkconfig: 2345 85 35
# description: Starts and stops swatch instances
# processname: swatch

# Source function library.
. /etc/rc.d/init.d/functions  

case $* in
   start)
        /usr/local/bin/swatch --config-file=/etc/swatch.conf --tail /var/log/messages &
        ;;
   stop)
        killall swatch
        ;;
   *)
        echo "usage: $0 (start|stop)"
        exit 1
esac

exit 0

### END