Hello
I have recently configured the ipfire Mail service and can consistently receive test email however I’m having trouble setting up swatch. I have installed postfix and I used a configuration tutorial found here: wiki.ipfire.org - Swatch
But when I get to
Blockquote
tell swatch to use the 2 new lines as a separator:
/usr/bin/swatch --daemon -c /var/ipfire/snort/swatchrc --input-record-separator=‘\n\n’ -t /var/log/snort/alert
Blockquote
It says
/usr/bin/swatch error no such file or directory
And I think alot of the directory’s in the wiki tutorial are wrong
Can anyone tell me what file to use? Or how to make work?
Thanks
jon
(Jon)
20 May 2021 02:56
2
I installed swatch via pakfire and went looking for “swatch”. maybe it is now called “swatchdog”.
[root@ipfire ~]# find / -iname swatch*
/opt/pakfire/db/rootfiles/swatch
/usr/lib/perl5/site_perl/5.32.1/Swatchdog
/usr/bin/swatchdog
/var/cache/pakfire/swatch-3.2.4-5.ipfire
[root@ipfire ~]#
1 Like
Good point. They had to change the name as the Swiss Watch company wasn’t happy with their use of the name.
So wiki needs an update.
Ok so I changed the command to /usr/bin/swatchdog
and I changed the log files to /var/log/suricata/fast.log
and i keptthe config file /var/ipfire/snort/swatchrc
now the file saved in /etc/sysconfig/rc.local
says /usr/bin/swatchdog --daemon -c /var/ipfire/snort/swatchrc --input-record-separator='\n\n' -t /var/log/suricata/fast.log
now it says ./usr/bin/tail: /var/log/suricata/fast.log: file truncated
and im not getting any emails from ipfire yet
jon
(Jon)
23 May 2021 23:04
5
Let learn this together.
First
I have Mail set up at menu System > Mail Service . And I can click Send test mail and within a moment I get an email:
From: myemail@gmail.com
Subject: IPFire Testmail
Date: May 23, 2021 at 5:52 PM
To: myemail@gmail.com
This is the IPFire test mail.
Do you see the same?
Second
What is inside of the config file at: /var/ipfire/snort/swatchrc
1 Like
jon
(Jon)
24 May 2021 00:06
6
I’ve not used swatch/swatchdog before so just for “fun” I made my swatchrc
config file easy and entered:
[root@ipfire ~]# cat /root/.swatchdogrc
watchfor /DROP/
echo=red
mail=myemail@gmail.com,subject="the word DROP"
and then I entered:
/usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages
without the -daemon
or the input-record-separator
.
and start getting LOTS of lines of DROPs:
[root@ipfire ~]# /usr/bin/swatchdog -c /root/.swatchdogrc -t /var/log/messages
*** swatchdog version 3.2.4 (pid:8003) started at Sun May 23 06:57:59 PM CDT 2021
May 23 18:58:00 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
May 23 18:58:04 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
May 23 18:58:05 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00 . . . . . URGP=0
. . .
^CCaught a SIGINT -- sending a TERM signal to 8004
[root@ipfire ~]#
So now I know swatch works...
So before it was exactly as the tutorial said but I’m emailing myself.
So I set it up that way and Now I’m seeing the IDs logs appear on screen and it says
sendmail: can not open auth file ‘/car/ipfire/dma/auth.conf’ : permission denied
jon
(Jon)
24 May 2021 18:15
8
This is what I see for the /var/ipfire/dma
directory (but I am not sure if it is correct…).
[root@ipfire ~]# ls -al /var/ipfire/dma
total 20
drwxr-xr-x 2 nobody nobody 4096 Jan 13 2020 .
drwxr-xr-x 50 root root 4096 May 4 06:15 ..
-rw-r----- 1 nobody root 43 Mar 17 2019 auth.conf
-rw-r--r-- 1 nobody nobody 159 Mar 17 2019 dma.conf
-rw-r--r-- 1 nobody nobody 70 Mar 17 2019 mail.conf
[root@ipfire ~]#
Are you seeing the same permissions for auth.conf
?
For the first 2 lines below total 20 it says
drwxr-xr-x 2 nobody nobody 4096 Apr 16 18:36 .
drwxr-xr-x 52 root root 4096 May 16 21:11
And the rest is all the same as yours
I rebooted in single user mode because the IDS system is running as an application not as a demon.
jon
(Jon)
24 May 2021 19:56
10
Hmmm. The directory privileges look right in the image.
And you should not need to reboot in single user mode. When you state “IDS” are you talking about Suricata and IPS ? Or something else?
I hate to say this but your issue is beyond my skills.
I probably can help with swatch but not beyond that. Hopefully someone else will stop by to help!
cbrown
(Charles Brown)
24 May 2021 20:19
11
It seems I had to change permissions on auth.conf in order to run from daemon
-rw-r----- 1 nobody mail 43 May 8 10:12 auth.conf