Log File Monitors

The simplest of IDSs, log file monitors, attempt to detect intrusions by parsing system event logs. For example, a basic log file monitor might grep (search) an Apache access.log file for characteristic /cgi-bin/ requests . This technology is limited in that it only detects logged events, which attackers can easily alter. In addition, such a system will miss low-level system events, because event logging is a relatively high-level operation.

Log file monitors are a prime example of host-based IDSs, because they primarily lend themselves to monitoring only one machine. In contrast, network-based IDSs typically scan the network at the packet level, directly off the wire like a sniffer. Network IDSs can coordinate data across multiple hosts . As we will see in this chapter, each type can be advantageous in different situations.

One well-known log file monitor is Swatch (http://www.oit.ucsb.edu/~eta/swatch/), short for Simple WATCHer. Whereas most log analysis software only scans the logs periodically, Swatch can also actively scan log entries and report alerts in real time.

To install, first download the latest version of Swatch. Then, run the following:

 perl Makefile.PL  make  make test  make install  make realclean

After Swatch is installed, you might also have to download and install Perl modules that are required for Swatch.

Swatch uses regular expressions to find lines of interest. When Swatch finds a line that matches a pattern, it takes an action, such as printing it to the screen, emailing an alert, or taking a user -defined action.

The following is an excerpt from a sample Swatch configuration script.

 watchfor   /[dD]enied/DEN.*ED/  echo bold  bell 3  mail  exec "/etc/call_pager 5551234 08"

In this example, Swatch looks for a line that contains the word denied , Denied , or anything that starts with DEN and ends with ED. When it finds a line that contains one of the three search strings, it echoes the line in bold on to the terminal and makes the bell sound (^G) three times. Then Swatch emails the user running Swatch (usually root) with the alert and executes the /etc/call_pager program with the given options.