1. SWATCH Chris Anderson Matt White

2. Swatch: Its purpose Log file watcher – Originally, Swatch was written to actively monitor messages as they are written to a log file via the UNIX syslog utility. Intrusion detection – It watches your log files, then sends an alert to any output if suspicious activity occurs.

3. Swatch: A brief history Swatch is an acronym for Smart Watcher. Developed by E. Todd Atkins of the Stanford EE Computer Facility. The program is written in Perl. Comes highly recommended by system administrators.

4. Swatch: A brief review of terms A log file is a file that has log events written to it. Log events are any specific action, activity or condition that are deemed worthy of recording. Log files and monitoring help build a more secure system. They help leave a trail of information of the recent activity done on a computer, making intrusion detection and recovery a much easier task. The configuration file is where the program’s operation is controlled.

5. Swatch: A brief overview There are two possible ways to run Swatch. It can be set to be run in batch. The program will scan a log file according to a preset configuration, or you can use real time monitoring, keeping track of events as they are keyed in.

6. Swatch: A brief overview The config. file consists of 4 fields. The first field specifies a key phrase that will be checked for on each line of the log file. The second field tells what the program should do if there is a match. You can print the matched line, print it and ring a bell, execute a specific command string, ignore the entry, email the entry to a specified address, or it can write the matched lines on a user’s terminal.

7. Swatch: A brief overview After letting the program run for some time, you will begin to be able to distinguish which alerts are important and which ones you can safely set to ignore.

8. Swatch: A tutorial Configuration: Since the whole point of swatch is to simplify our lives, configuring swatch itself is, well, simple. Swatch is controlled by a single file, $HOME/.swatchrc, where $HOME is the username. This file contains text patterns in the form of regular expressions you wish swatch to watch for. Each regular expression is followed by the action(s) you wish swatch to take whenever it encounters that text.

9. Swatch: A tutorial For the first example, suppose you have a web server and you want to be alerted by email any time someone attempts a buffer-overflow attack by requesting an extremely long filename, ex.``File name too long''. – Here's what you'd need to have in your.swatchrc file: watchfor /File name too long/ mail addresses=Jmehof\@net.com, subject=BufferOverflow_attempt

10. Swatch: A tutorial As you can see, the entry begins with a “watch for'' statement, followed by a regular expression. Swatch will perform your choice of a number of actions when it matches your regular expression. – In this example, we have told swatch to send e-mail to Jmehof\@net.com, with a subject of BufferOverflow_attempt.

11. Swatch: A tutorial You must have the forward slash in front of the @; without it, Perl will interpret the @ sign as a special character. – Note also that if you want spaces in your subject line, each space also needs to be escaped with a backslash, e.g., subject=Buffer\ Overflow\ attempt. – Actions besides sending e-mail are available.

12. Swatch: A tutorial Let us take our example a step further. – Suppose, in addition to being e-mailed about buffer- overflow attempts, you want to know whenever someone hits a certain web page, but only if you're logged on to a console at the time. – In the same.swatchrc file, you would add something like this: watch for /junksite.html/ echo=red bell 2

13. Swatch: A tutorial The event will then cause a beep and print to the console. It is important to note you will only see these messages and hear the beeps if you are logged on the console in the same shell session from which you launched swatch. – If you log out and log back in, you will no longer see messages generated by the swatch processes launched in your old session, even though those processes will still be running. When in doubt add a backup method to make sure you receive the alerts.

14. Swatch: A tutorial Advanced: Another way to control swatch to a greater degree is to specify what time of day a given action may be performed. – You can do this by sticking a ``when='' option after any action. – For example, on the next slide there is a.swatchrc entry for a medium-importance event. – We want to know about via console messages during weekdays, but we will need e-mail messages to know about it during the weekend.

15. Swatch: A tutorial – To do this I set the when option: /file system full/ echo=red mail addresses=mick\@visi.com, subject=Volume_Full,when=7-1:1-24

16. Swatch: A tutorial The syntax of the when= option is when=range_of_days:range_of_hours. – Thus, we see that any time the message ``file system full'' is logged, swatch will echo the log entry to the console in red ink. – It will also send e-mail, but only if it's Saturday (``7'') or Sunday (``1'').

17. Swatch: A tutorial Running the program: Swatch expects.swatchrc to live in the home directory of the user who invokes swatch. Swatch also keeps its temporary files there by default (each time it's invoked it creates and runs a script called a ``watcher process'', whose name ends with a dot followed by the PID of the swatch process that created it).

18. Swatch: A tutorial The -c path_to_configfile and --script-dir=path flags let you specify alternate locations for swatch's configuration and script files, respectively. – Never keep either in a world-writable directory, only these files' owners should even be able to read them. To invoke swatch so it reads a custom configuration file in /var/log and uses that directory for its watcher process script, use this command: swatch -c /var/log/.swatchrc.access --script-dir=/var/log &

19. Swatch: A tutorial You also need to tell swatch which file to tail, and for that you need the -t filename flag. – To use the previous command to have swatch monitor /var/log/apache/access_log, it would look like this: swatch -c /var/log/.swatchrc.access --script-dir=/var/log\ -t /var/log/apache/access_log &

20. Swatch: A tutorial Watch the watcher: Once swatch is configured and running, we want to make sure the alarms are not happening too often or not at all. You may even experience a scare or two in responding to events that set off alarms initially but turn out to be harmless nonetheless. The other scenario, in which too little is watched for, is much harder to address, especially for the beginning system administrator.

21. Swatch: A tutorial By definition, anomalous events don't happen too frequently, so how do you anticipate how they will manifest themselves in the logs? Get in the habit of browsing your system logs often enough to get a feel for what the routine operation of your systems looks like. Better still, tail the logs in real time. If you enter the command: tail -f /var/log/messages

22. Swatch: A tutorial The last 50 lines of the system log will be printed, plus subsequent lines, as they're generated, until you kill tail with a Ctrl-C. – This works for any file, even a log file that changes rapidly.

23. Swatch: A tutorial For defending hackers: These days that there's a lot of ssh hackers out there filling the auth.log up with a bunch of messages like: Dec 1 12:34:56 server sshd[67743]: Illegal user patrick from 123.123.123.12 This can get pretty annoying considering what they're doing is a blatent attack on your server and all you can do is watch what they did.

24. Swatch: A tutorial You want to bump back, but how? – With a little configuration of Swatch, it will give them one illegal user attempt and they'll be blocked indefinately. – This tutorial will assume you are using pf (packet filter) for your filewall. You'll want to figure out who you'll be running swatch as, for reasons of convenience I'll be running it as root, but with some tinkering you can run this as another user or use sudo if it makes you feel better.

25. Swatch: A tutorial Again, you'll want to make your.swatchrc file in /root/.swatchrc but with the new command: #Look for bad ssh attempts, if found, block them! watchfor /Illegal user/ exec "/root/bin/addblock $1"

26. Swatch: A tutorial Now you'll want to make the addblock script we referenced above, we could put all our commands in multiple exec lines. However, putting quotes inside quotes in exec doesn't work so well, so you need to use a separate shell script.

27. Swatch: A tutorial – Here is what /root/bin/addblock should contain: #!/bin/sh pfctl -t hackers -T add $1 echo $1 >> /root/pf/hackers logger swatch: $1 caught with bad login. Added to hackers pf table

28. Swatch: A tutorial The first line will add the address to the hackers table in pf. In the second line there's a file we are appending the addresses to this is so when we restart pf, it'll remember the old addresses, feel free to put this file anywhere you feel is appropriate. The last line sends a message to syslog about the address addition. – Which will end up in /var/log/messages

29. Swatch: A tutorial Now to make sure this starts at boot time, you want to add the following to your rc.conf: swatch_enable="YES" swatch_rules="1" swatch_1_flags="swatch --config- file=/root/.swatchrc --tail-file=/var/log/auth.l og --awk-field-syntax --daemon --pid- file=/var/run/swatch.pid" swatch_1_user="root" swatch_1_pid="/var/run/swatch.pid"

30. Swatch: A tutorial Configuring pf: You'll want to put the following lines in the add/block rules section of you pf file: table persist file "/root/pf/hackers" block in quick on $extif proto { tcp, udp, ipv6, icmp, esp, ipencap } from

31. Swatch: A tutorial Finishing up: If you've done everything above you can start swatch and enable your new pf rules with: pfctl -f /etc/pf.conf /usr/local/etc/rc.d/swatch.sh start

32. Swatch: Associated problems Due to the requirements needed by the installation process of the software, we were unable to successfully install Swatch on the cybersecurity lab’s network.