Hellowiki.ipfire.org - Swatch
Blockquote
/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator=‘\n\n’ -t /var/log/snort/alert
Blockquote
It says
And I think alot of the directory’s in the wiki tutorial are wrong
jon
20 May 2021 02:56
2
I installed swatch via pakfire and went looking for “swatch”. maybe it is now called “swatchdog”.
[root@ipfire ~]# find / -iname swatch*
/opt/pakfire/db/rootfiles/swatch
/usr/lib/perl5/site_perl/5.32.1/Swatchdog
/usr/bin/swatchdog
/var/cache/pakfire/swatch-3.2.4-5.ipfire
[root@ipfire ~]#
1 Like
Good point. They had to change the name as the Swiss Watch company wasn’t happy with their use of the name.
So wiki needs an update.
Ok so I changed the command to /usr/bin/swatchdog/var/log/suricata/fast.log/var/ipfire/snort/swatchrc now the file saved in /etc/sysconfig/rc.local/usr/bin/swatchdog --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/suricata/fast.log
now it says ./usr/bin/tail: /var/log/suricata/fast.log: file truncated
jon
23 May 2021 23:04
5
Let learn this together.
I have Mail set up at menu System > Mail Service . And I can click Send test mail and within a moment I get an email:
From: myemail@gmail.com
Subject: IPFire Testmail
Date: May 23, 2021 at 5:52 PM
To: myemail@gmail.com
This is the IPFire test mail.
Do you see the same?
What is inside of the config file at: /var/ipfire/snort/swatchrc
1 Like
jon
24 May 2021 00:06
6
I’ve not used swatch/swatchdog before so just for “fun” I made my swatchrc config file easy and entered:
[root@ipfire ~]# cat /root/.swatchdogrc
watchfor /DROP/
echo=red
mail=myemail@gmail.com,subject="the word DROP"
and then I entered:
/usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages
without the -daemon or the input-record-separator.
and start getting LOTS of lines of DROPs:
[root@ipfire ~]# /usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages
*** swatchdog version 3.2.4 (pid:8003) started at Sun May 23 06:57:59 PM CDT 2021
May 23 18:58:00 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
May 23 18:58:04 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
May 23 18:58:05 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
. . .
^CCaught a SIGINT -- sending a TERM signal to 8004
[root@ipfire ~]#
So now I know swatch works...
So before it was exactly as the tutorial said but I’m emailing myself.
sendmail: can not open auth file ‘/car/ipfire/dma/auth.conf’ : permission denied
jon
24 May 2021 18:15
8
This is what I see for the /var/ipfire/dma directory (but I am not sure if it is correct…).
[root@ipfire ~]# ls -al /var/ipfire/dma
total 20
drwxr-xr-x 2 nobody nobody 4096 Jan 13 2020 .
drwxr-xr-x 50 root root 4096 May 4 06:15 ..
-rw-r----- 1 nobody root 43 Mar 17 2019 auth.conf
-rw-r--r-- 1 nobody nobody 159 Mar 17 2019 dma.conf
-rw-r--r-- 1 nobody nobody 70 Mar 17 2019 mail.conf
[root@ipfire ~]#
Are you seeing the same permissions for auth.conf?
For the first 2 lines below total 20 it says
And the rest is all the same as yours
jon
24 May 2021 19:56
10
Hmmm. The directory privileges look right in the image.
And you should not need to reboot in single user mode. When you state “IDS” are you talking about Suricata and IPS ? Or something else?
I hate to say this but your issue is beyond my skills.
I probably can help with swatch but not beyond that. Hopefully someone else will stop by to help!
cbrown
24 May 2021 20:19
11
It seems I had to change permissions on auth.conf in order to run from daemon
-rw-r----- 1 nobody mail 43 May 8 10:12 auth.conf
