Swatch sort of (not) working...

[Per B]

Hi all!

So I got snortsnarf to work but now I'm stuck again..

I installed swatch to monitor the auth.log for those (in-)famous "Illegal
user" lines and take som actions on them. I have some ideas what I want to
do (firewall the IP-address out for good) but I've started pretty basic.

I am setting up the swatchrc file and got it sort of working but I have
two problems. I've google'd and read the man page forwards and backwards
but am stuck...

It goes like this:

My file first has a line:

"watchfor        /Illegal user|BREAKIN/"

that works...

Then I have:

"mail addresses=xxx\@yyy.com,subject=--- SSH ATTACK! ---"

that works too...

Then comes:

"exec echo $0 >> /var/log/swatch/ssh-attacks"

That does NOT work! All I get in the log is the word "swatch" each time it
triggers. I've tried to rewrite the line but I only get "swatch" or an
empty line.

Then comes:

"throttle 00:05:00,use=regex"

That does NOT work either. I saw something when google'ing that throttle
is broken, is that correct?

Could someone that has these things working on 5.3 (swatch version is
3.1.1) please help me? It would also be very nice for some examples from
your swatchrc:s, especially if you have any ipfw stuff in them... :-)

TIA!

Regards,
-- 
Per Berger
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \