#
# Swatch configuration file for Linux box
#
# Last Modified 7 April, 2000
# Lance Spitzner <lance@spitzner.net>
#
# swatch -c /etc/swatchrc -t /var/log/messages 
#

### Snort honeypot alerts from firewall
watchfor /IDS/
	echo bold
	mail addressess=admin,subject=--- Snort IDS Alert ---
	exec echo $0 >> /var/log/IDS-scans
	throttle 01:00 use=IDS27

watchfor /PORTSCAN DETECTED/
	echo bold
	mail addresses=admin,subject=--- Snort Port Scan Alert ---
	exec echo $0 >> /var/log/IDS-scans

### DNS zone transfers
watchfor /approved AXFR/
	echo bold
	mail addresses=admin,subject=--- Zone transfer Alert ---
	exec echo $0 >> /var/log/IDS-scans

#########################################################
# 			EXAMPLES			#
#########################################################

### Bad login attempts
# watchfor   /failed/
#        echo bold
#        mail addressess=root,subject=Failed Authentication

### Some is sniffing!
# watchfor   /promiscuous/
#        echo bold
#        mail addressess=root,subject=Someone is sniffing the network!

### Ignore this stuff
# ignore   /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/


### Kernel problems or system reboots
# watchfor   /(panic|halt|SunOS Release)/
#        echo bold
#        mail addresses=root,subject=System Panic,Halt, or Reboot!

# watchfor   /file system full/
#        echo bold
#        mail addresses=root,subject=File system Full
#        throttle 01:00

# watchfor   /su:/
#        echo bold
#        mail addresses=root,subject=Someone sued to root access