From owner-freebsd-questions@FreeBSD.ORG Sun Apr 24 09:26:55 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0620D16A4CE for ; Sun, 24 Apr 2005 09:26:55 +0000 (GMT) Received: from pne-smtpout2-sn2.hy.skanova.net (pne-smtpout2-sn2.hy.skanova.net [81.228.8.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45C1F43D53 for ; Sun, 24 Apr 2005 09:26:54 +0000 (GMT) (envelope-from freebsd@stortsett.se) Received: from kalle.stortsett.local (81.230.166.90) by pne-smtpout2-sn2.hy.skanova.net (7.1.026.7) id 42662CF1000F3FA2 for freebsd-questions@freebsd.org; Sun, 24 Apr 2005 11:26:52 +0200 Received: from kalle.stortsett.local (unknown [127.0.0.1]) by kalle.stortsett.local (Postfix) with ESMTP id 60C1C61D0 for ; Sun, 24 Apr 2005 11:26:52 +0200 (CEST) Received: from 192.168.213.10 (SquirrelMail authenticated user per) by kalle.stortsett.local with HTTP; Sun, 24 Apr 2005 11:26:52 +0200 (CEST) Message-ID: <1356.192.168.213.10.1114334812.squirrel@kalle.stortsett.local> Date: Sun, 24 Apr 2005 11:26:52 +0200 (CEST) From: "Per B" To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal Content-Transfer-Encoding: quoted-printable Subject: Swatch sort of (not) working... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Apr 2005 09:26:55 -0000 Hi all! So I got snortsnarf to work but now I'm stuck again.. I installed swatch to monitor the auth.log for those (in-)famous "Illegal user" lines and take som actions on them. I have some ideas what I want t= o do (firewall the IP-address out for good) but I've started pretty basic. I am setting up the swatchrc file and got it sort of working but I have two problems. I've google'd and read the man page forwards and backwards but am stuck... It goes like this: My file first has a line: "watchfor /Illegal user|BREAKIN/" that works... Then I have: "mail addresses=3Dxxx\@yyy.com,subject=3D--- SSH ATTACK! ---" that works too... Then comes: "exec echo $0 >> /var/log/swatch/ssh-attacks" That does NOT work! All I get in the log is the word "swatch" each time i= t triggers. I've tried to rewrite the line but I only get "swatch" or an empty line. Then comes: "throttle 00:05:00,use=3Dregex" That does NOT work either. I saw something when google'ing that throttle is broken, is that correct? Could someone that has these things working on 5.3 (swatch version is 3.1.1) please help me? It would also be very nice for some examples from your swatchrc:s, especially if you have any ipfw stuff in them... :-) TIA! Regards, --=20 Per Berger _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \