Secwatch
version 0.4Secwatch
version 0.4Log file based IDS
Copyright © 2006
Nic Stevens.
Please see COPYING for
licensing information.
This release is a beta release
and a complete rewrite from PHP to C. I have tested it on a few
systems and have had no problems. Your millage may vary. See also the
the doxygen
documentation for v0.4.
Requirements
A UNIX or UNIX like Operating System
Root access to the system
libpcre (http://www.pcre.org)
General
Secwatch is a
daemon that scans log files looking for lines that match a specific
rule. If a rule is matched the IP is added to a list of IP's with a
potential for abuse. After the IP is seen for maxatt times it
is added to the firewall drop list using the firewall rules in the
configuration. Each time an IP is hit the timestamp is updated. If
the IP does not get dropped it will be removed from the IP list after
maxage minutes. When an IP is undropped the IP is left in the
list, with an updated timestamp, and will be deleted if no more
attempts are made against the IP after maxage minutes.
Installation
On most UNIX
Systems, Secwatch should be installed by root as viewing of log files
and manipulation of firewalls must be done by the superuser. If you
want secwatch to run as a different user I would suggest running
secwatch as a user who has group access to the logs. For this to
work, however, that same user must have privileges to modify the
firewall using the rules in the configuration.
To install Secwatch, get the latest
source archive. Unpack the archive. This should give you a new
directory called secwatch-x.x.
Chdir to this directory and run:
./configure make su make install
Now that Secwatch is installed you can configure it.
Configuration
Secwatch can run without a configuration file using
reasonable defaults. If a config file is needed it is a simple text
file that is normally installed in /usr/local/etc/secwatch.conf, and
consists of name=value pairs with comments delimited by pound signs
(#).
This is a list of the configuration directives:
|
Configuration Name |
Meaning |
patterns |
set the name of the patterns file |
pidfile |
set the name of the file holding the PID of the daemon |
banlist |
set the name of the ban list |
logfiles |
set a comma delimited list of log files to scan |
maxatt |
set the maximum number of attemtps before firewalling |
maxage |
set the maximum age,in minutes, of an IP ban |
fork |
set to true or false to have the daemon fork or stay in foreground |
mailto |
set the address to send alerts to |
logpri |
set the syslog priority to use (see below) |
logfac |
set the syslog facility to use (see below) |
fwreject |
set the firewall reject selections |
inprej |
set the inprej firewall rule |
outrej |
set the outrej firewall rule |
fwdrej |
set the fwdrej firewall rule |
fwallow |
set the firewall accept selections |
inpalw |
set the inpalw firewall rule |
outalw |
set the outalw firewall rule |
fwdalw |
set the fwdalw firewall rule |
This is a list
of syslog priority and facility codes:
|
Config Code |
Priority Constant |
Config Code |
Facility Constant |
alert |
LOG_ALERT |
auth |
LOG_AUTH |
crit |
LOG_CRIT |
authpriv |
LOG_AUTHPRIV |
debug |
LOG_DEBUG |
cron |
LOG_CRON |
emerg |
LOG_EMERG |
daemon |
LOG_DAEMON |
err |
LOG_ERR |
kern |
LOG_KERN |
info |
LOG_INFO |
|
LOG_MAIL |
notice |
LOG_NOTICE |
news |
LOG_NEWS |
warning |
LOG_WARNING |
syslog |
LOG_SYSLOG |
user |
LOG_USER |
||
uucp |
LOG_UUCP |
||
local0-7 |
LOG_LOCAL0-LOG_LOCAL7 |
Command line Options
Secwatch can be configured at run time using the following directives:
-d, --dump-cfg |
Dump configuration and exit |
|
-p, --dump-pat |
Dump patterns and exit |
|
-f, --config |
Configuration filename |
|
-h, --help |
Show progam options and exit |
|
-v, --version |
Show program version and exit. |
|
--set-patterns |
Set the name of the patterns file |
|
--set-pidfile |
Set the name of the file holding the PID of the daemon |
|
--set-banlist |
Set the name of the ban list |
|
--set-logfiles |
Set a comma delimited list of log files to scan |
|
--set-maxatt |
Set the maximum number of attemtps before firewalling |
|
--set-maxage |
Set the maximum age, in minutes, of an IP ban |
|
--set-fork |
Set to true or false to have the daemon fork or stay in foreground |
|
--set-mailto |
Set the address to send alerts to |
|
--set-logpri |
Set the syslog priority to use |
|
--set-logfac |
Set the syslog facility to use |
|
--set-fwreject |
Set the firewall reject selections |
|
--set-inprej |
Set the inprej firewall rule |
|
--set-outrej |
Set the outrej firewall rule |
|
--set-fwdrej |
Set the fwdrej firewall rule |
|
--set-fwallow |
Set the firewall accept selections |
|
--set-inpalw |
Set the inpalw firewall rule |
|
--set-outalw |
Set the outalw firewall rule |
|
--set-fwdalw |
Set the fwdalw firewall rule |
Configuration Defaults
|
Confiration Variable |
Default Value |
patterns |
/usr/local/etc/secwatch.patterns |
pidfile |
/var/run/secwatch.pid |
iplist |
/var/run/secwatch.iplist |
logfiles |
/var/log/secure,/var/log/messages |
maxatt |
5 |
maxage |
15 |
fork |
true |
mailto |
secwatch |
mailfrom |
secwatch |
sendmail |
/usr/sbin/sendmail |
logpri |
info |
logfac |
daemon |
fwreject |
inprej,outrej,fwdrej |
inprej |
/sbin/iptables -I INPUT -s $i -j DROP |
outrej |
/sbin/iptables -I OUTPUT -d $i -j DROP |
fwdrej |
/sbin/iptables -I FORWARD -d $i -j DROP |
fwallow |
inpalw,outalw,fwdalw |
inpalw |
/sbin/iptables -D INPUT -s $i -j DROP |
outalw |
/sbin/iptables -D OUTPUT -d $i -j DROP |
fwdalw |
/sbin/iptables -D FORWARD -d $i -j DROP |
Pattern
File Specification
The pattern file consists of one or more lines in the format of
logfile:match1:match2@ippos
Where logfile is the full pathname to the logfile. Logfile may be a simple fully qualified pathname of the log file or a modified regular expression. If the pattern starts with "//" and ends with "/" it will have it’s slashes escaped, other than the leading and trailing slashed and be evaluated as a regular expression.
Example:
//var/log/messages|secure/
will match both
/var/log/messages
and
/var/log/secure.
If the log files specified does not have the leading // and trailing / it will be evaulated as a simple equality test.
If the logfile expression is matched then the next facility expression must be matched. If This expression has a leading and trailing match the expression is treated as a regular expression otherwise a simple equality test is performed. Finally The log expression (logexp) will be checked. If logexp has a leading and trailing match the expression is treated as a regular expression otherwise a simple equality test is performed. If both matches are successful the IP address of the offending line is saved and if it reaches maxatt attempts it will be fire walled based on the rules in "firewall" (see below)
Pattern Examples
//var/log/secure|messages/:sshd[:Did not receive ident@12
//var/log/secure|messages/:sshd\[:/\[Uu\]user \[A-z\]* \
from \b\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\b not allowed/
/var/log/secure:sshd[%Did not receive ident@12These three rules will match the following log file entries in /var/log/secure and will return the IPs found in @ippos
Apr 9 05:21:57 myhost sshd[2553]: Invalid user ahile from 1.2.3.4 Apr 9 22:15:36 myhost sshd[6662]: Did not receive identification string from 5.6.7.8 Apr 10 11:17:46 myhost sshd[3745]: User root from 81.18.176.30 not allowed because not listed in AllowUsers