[logs] RE: Bug in swatch throttle code

From: Crow, Owen (Owen_Crowat_private)
Date: Fri Jan 10 2003 - 09:09:03 PST

  • Next message: Bennett Todd: "Re: [logs] Trial SELP client implementation"

    > -----Original Message-----
    > From: Jeremy Mates [mailto:jmatesat_private]
    > 
    > * Crow, Owen <Owen_Crowat_private> [2003-01-07T14:52-0800]:
    > > Which version of swatch are you using and have you applied 
    > any patches?
    > 
    > No patches I know of.
    > 
    > $ swatch --version
    > This is swatch version 3.0.4
    > Built on 11/5/2001
    > Built by E. Todd Atkins <Todd.Atkinsat_private>
    > 
    > $ openssl md5 < /usr/bin/swatch
    > 1e3d115fdbad9f62269b0d80408ba6d5
    
    My copy matches both of these.
    
    > > I've tried using swatch 3.0.4 with and without the patches at
    > > http://plaza8.mbn.or.jp/~yswww/myself/swatch-en.html, but I can't
    > > get throttle to work as advertised.  It stops floods of messages,
    > > but after the throttle timeout, it will not show more messages of
    > > the same type, ever.
    > 
    > Hmmm, may have never noticed that behaviour.  Testing...
    > 
    > Feeding a generic fatal error to trigger the swatch daemon watching
    > the "everything" log over the last few minutes has resulted in three
    > messages thus far, the initial report plus two "X messages in the last
    > 10 minutes: blah."
    > 
    [snip]
    I'm still having the problem which I will show below.  My swatchrc file:
    [root@hostname root]# cat swatchrc-20030108
    watchfor = /\[\*\*\]/
            echo random
            mail addresses=address\@com.com,subject=NIDS
            throttle=00:30,use=regex
    
    Since I started swatch this morning, this is all I have received:
    [root@hostname root]# date;/usr/bin/swatch --config-file swatchrc-20030108
    --tail-file /var/log/snort/alert.fast
    Fri Jan 10 08:51:01 CST 2003
    
    *** swatch-3.0.4 (pid:7876) started at Fri Jan 10 08:51:02 CST 2003
    
    01/10/03-08:28:49.479388  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349
    
    And I have received one email message:
    01/10/03-08:28:49.479388  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349
    
    Both of the above come from the last message in the file since swatch
    appears to start tailing with a "tail -1f".
    
    If I grep the log file for strings matching "[Priority: 1]" since the start
    time of swatch, there are two lines:
    [root@hostname snort]# tail -1f alert.fast
    01/10/03-08:28:49.479388  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349
    01/10/03-10:18:33.495630  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 3.3.3.3:995
    01/10/03-10:26:54.709144  [**] [1:688:4] MS-SQL sa login failed [**]
    [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP}
    4.4.4.4:1433 -> 6.6.6.6:1079
    01/10/03-10:29:05.787456  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 5.5.5.5:1008
    01/10/03-10:31:00.325988  [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY
    (NULL scan) detection [**] {TCP} 1.1.1.1:2049 -> 2.2.2.2:3349
    01/10/03-10:43:28.776502  [**] [1:688:4] MS-SQL sa login failed [**]
    [Classification: Unsuccessful User Privilege Gain] [Priority: 1] {TCP}
    4.4.4.4:1433 -> 6.6.6.6:1090
    
    By my count, I should have received an echo and an email for each one of
    these messages in the logs (6 total) because they occurred more than 30
    seconds apart.  If I'm mistaken in what "00:30" means, and it's 30 minutes
    instead, I should have received about 3 or 4 of each.
    
    Am I missing some syntax issue or something?  I am running on a fully
    patched Redhat 7.2 system.
    
    Thanks,
    Owen Crow
    Systems Programmer (Unix)
    BMC Software, Inc.
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 11:56:14 PST