Installing and Configuring Swatch


You would like to use Swatch to monitor your logfiles.


Install Swatch by using the following standard method of installing Perl modules:

[root@localhost root]# tar zxvf swatch-3.1.tar.gz

[root@localhost root]# cd swatch-3.1

[root@localhost swatch-3.1]# perl Makefile.PL

[root@localhost swatch-3.1]# make

[root@localhost swatch-3.1]# make test

[root@localhost swatch-3.1]# make install

[root@localhost swatch-3.1]# make realclean

Next, you can test that it is working by running both Snort and Swatch:

[root@localhost snort-2.1.3]# snort -l /var/log/snort -c 


[root@localhost root]# swatch -t /var/log/snort/alert

swatch: cannot read /root/.swatchrc

swatch: using default configuration of:


 watchfor = /.*/



*** swatch version 3.1 (pid:20771) started at Fri Jul 2 07:20:46 

EDT 2004


[**] [1:469:3] ICMP PING NMAP [**]

[Classification: Attempted Information Leak] [Priority: 2]

07/02-07:21:01.673346 ->

ICMP TTL:37 TOS:0x0 ID:42715 IpLen:20 DgmLen:28

Type:8 Code:0 ID:56574 Seq:29086 ECHO

[Xref =>]



Swatch is known as the Simple Watcher of logfiles. It is a Perl program that monitors Snort alerts and creates automatic responses. Swatch can generate a system bell, print output to the screen, send an email, and run a script to perform other actions. These actions can be configured in the /.swatchrc file, such as the following:

watchfor /something_to_watch_for/


echo normal

mail,subject=Snort Alert!

exec some_script

The /.swatchrc file can have multiple instances of the watchfor statement to watch for a variety of alerts and then initiate the appropriate actions.

Swatch has dependencies on four other Perl modules: Date::Calc, Date::Parse, File::Tail, and Time::HiRes. On RedHat 9, we had to install the following three dependencies:

[root@localhost root]# tar zxvf Date-Calc-5.3.tar.gz

[root@localhost root]# cd Date-Calc-5.3

[root@localhost Date-Calc-5.3]# perl Makefile.PL

[root@localhost Date-Calc-5.3]# make

[root@localhost Date-Calc-5.3]# make test

[root@localhost Date-Calc-5.3]# make install

[root@localhost Date-Calc-5.3]# make realclean

[root@localhost root]# tar zxvf Time-HiRes-1.59.tar.gz

[root@localhost Time-HiRes-1.59]# LC_ALL=C; export LC_ALL

[root@localhost Time-HiRes-1.59]# perl Makefile.PL

[root@localhost Time-HiRes-1.59]# make

[root@localhost Time-HiRes-1.59]# make test

[root@localhost Time-HiRes-1.59]# make install

[root@localhost Time-HiRes-1.59]# make realclean

[root@localhost root]# tar zxvf TimeDate-1.16.tar.gz

[root@localhost root]# cd TimeDate-1.16

[root@localhost TimeDate-1.16]# perl Makefile.PL

[root@localhost TimeDate-1.16]# make

[root@localhost TimeDate-1.16]# make test

[root@localhost TimeDate-1.16]# make install

[root@localhost TimeDate-1.16]# make realclean

If you also need File::Tail, you can install it the same way by downloading and installing the file. You can download Perl modules from and various other CPAN mirror sites.

To test the Swatch installation, first run Snort in NIDS mode to make sure it is generating alert messages. Then start Swatch with the target file of /var/log/snort/alert, or wherever your alerts that you would like to monitor are being logged. Next, run some event traffic such as an Nmap scan, and you should see the alerts showing on the screen. Notice that the example is just using the default configuration; you can configure the /root/.swatchrc file to monitor for specific keywords and generate various types of actions.

See Also

Installing and Configuring Barnyard

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: