I l @ ve RuBoard |
The ability to detect malicious activities is dependent upon adequate monitoring. Enabling logging does no good if the logs are not reviewed. The problem, of course, is that there is a great wealth of data produced from all of the logging activities. A centralized logging server provides a single location for log data and consolidates the work of examining the information. It also provides a good location for an intrusion detection system which analyzes log entries to determine malicious activities. Possibly the most important aspect of log monitoring is the ability to automate the process and reduce the amount of information which a person has to examine. There are many tools and products which help in this endeavor. SwatchSwatch, Simple WATCHer, is a tool written in Perl by Todd Atkins to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch monitors your logs for specific triggers; when those triggers are matched, swatch notifies you in a predetermined manner. It gives an administrator the ability to process the enormous amounts of logged data without being overwhelmed. The program is simple to install, administer, and expand to perform actions defined by the administrator. It can be used as a simple intrusion detection system or can front-end other systems, reducing the volume of data for them to process. The configuration file, called swatchrc, is the heart of the swatch program. This text file tells swatch what logs to monitor, what triggers to look for, and what to do if triggered. Swatch works by looking for regular expressions that match the triggers defined in swatchrc. When it finds a match, it executes the notification procedure defined in swatchrc. The swatchrc file consists of four fields ” the first two fields are required, and the last two fields are optional. The first field is the regular expression for which swatch is looking. This is the trigger. The second is a list of actions to be performed if the pattern is matched. Swatch has various options for actions, including e-mail, paging, or executing any file you select. The third field " throttle " (which is optional) is a time interval. This time interval is the amount of time swatch will ignore identical matched patterns that repeat themselves . The fourth field (required if you are using the third field) is a timestamp. # # Personal Swatch configuration file # # Alert me of bad login attempts and find out who is on that system watchfor /INVALIDREPEATEDINCOMPLETE/ echo inverse bell 3 # Important program errors watchfor /LOGIN/ echo inverse bell 3 watchfor /passwd/ echo bold bell 3 watchfor /ruserok/ echo bold bell 3 # Ignore this stuff ignore /sendmail/,/nntp/,/xntpntpd/,/faxspooler/ # Report unusual tftp info ignore /tftpd.*(ncdkfpsnormal exit)/ watchfor /tftpd/ echo bell 3 # Kernel problems watchfor /(panichaltSunOS Release)/ echo bold bell watchfor /file system full/ echo bold bell 3 ignore /vmunix.*(aton)/ watchfor /vmunix/ echo bell watchfor / fingerd.*(root[Tt]ipguest)/ echo bell 3 watchfor /su:/ echo bold watchfor /.*/ echo |
I l @ ve RuBoard |