> -----Original Message----- > From: Ryan Barnett [mailto:RCBarnettat_private] > Sent: Saturday, January 12, 2002 1:20 PM > To: forensicsat_private > Subject: Using SWATCH for Forensic Analysis of VMware$DD images I'm not sure why you'd got through all the trouble of installing swatch when every system has grep and most have perl (you've got to have perl for swatch anyway). It sounds like you just don't like long command lines -- so don't use them. Make a script. Your .swatchrc: > watchfor /rootkit|root kit|hack| irc | bot > |sniff|backdoor|back > door|promisc|knark|hax0r|hide|trojan|virus|TFN2K|ador > e|LKM|attack|denial-of-service|ddos|brute force|0wn/i > echo=bold > pipe `strings | echo $0 > >> /images/swatch_honeypot.txt` vs. a simple script: #!/bin/sh egrep -i '/rootkit|root kit|hack| irc | bot |sniff|backdoor|back door|promisc|knark|hax0r|hide|trojan|virus|TFN2K|adore|LKM|attack|denial-of- service|ddos|brute force|0wn/i' "$@" | \ strings >> /images/grep_honeypot.txt or with perl and combining some strings: #!/bin/sh perl -ne ' print if /root ?kit|hack| irc | bot |sniff|back ?door|promisc|knark|hax0r|hide|trojan|virus|tfn2k|adore|lkm|attack|denial-of -service|ddos|brute force|0wn/i' "$@" | strings >> /images/perl_honeypot.txt Both of these you'd call with "script-file file-to-examine [second-file-to-examine, etc.]". Don't get me wrong, I use and have used swatch for years now for real-time alerts with throttling. It just seems like overkill for pattern matching. > Example = "# find . -type f -print | xargs grep -i > [PATTERN]" > > I have done this task many times and it is just a plain > pain in the A$$ since you can only search for a couple > patterns at a time. This is the basic problem I have with the argument. Using egrep, awk, or perl, you can search for as many patterns as you like. I think awk might have some line-length limitations, though. > Anyways, using SWATCH in this manner allows me > to search simultaneously for many keywords that > would be realistically unfeasible to do commandline. > The only limiting factor that I have run into thus far is > that the "context" to which these keyword matches > are related is missing- I.E.- What file is this word > located in? Who owns that file? What are the MAC > times, etc... These are questions that must be > answered by a more extensive forensic analysis. It is > extremely effective, however, at trowing out a big net > and getting some places to start an investigation. > This method also is useful to be run as a quick check > to see if there is any mischeivious behaviour > happening on a live VMware image. If you get any > hits, then you should proceed to a more interactive > Forensics analysis. If you're working on a filesystem instead of an image, you can do this in raw perl (not swatch). Check out the File::Find module and the find2perl command. > I am also getting ready to test using SWATCH to > monitor VMware GuestOS files while the are acutally > in use. I am not sure if this will work, but we will see. > I am going to use this RegExpr syntax in the > swatchrc file - > > watchfor /.*/ I don't think so since Swatch uses the File::Tail module which is designed for files that constantly grow at the end. It has some code for dealing with truncated or removed-and-recreated files, but probably not large and dynamic binary images. Not saying it won't work, just that it won't work predictably. If there are compelling reasons to use swatch instead of the underlying perl, let me know. Otherwise you're just insulating yourself from the perl without any real gains in usability. Regards, Owen Crow Systems Programmer (Unix) BMC Software, Inc. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 09:58:35 PST