USING SWATCH


1. Install SWATCH 

   sudo apt-get install swatch

2. Create swatch_ulog.conf and cut and paste contents below.  
   This can be in your home directory but in a production system it should be 
   placed with other system configurations files, e.g., /etc/swatch.conf.

watchfor /IPTables-Dropped:.*SRC=([0-9.:]+)\D+DST=([0-9.:]+).*SPT=(\d+)\D+DPT=(\d+)\D+/
       mail=tldadmin@localhost,subject=Attempt to connect from $1:$3 to $2:$4

3. Run Swatch.

   sudo swatch -c swatch_ulog.conf --tail-file=/var/log/ulog/syslogemu.log --daemon

   [You might get a notice from "tail" regarding too many open files. You can
    ignore that.]
    
   The instructor will then run another port scan.

4. After a minute read your email on the NOC by doing

   mutt

5. What do you see?