USING SWATCH KEEP TRACK OF CONFIGURATION CHANGES ON
	                        NETWORK EQUiPMENT

1. We're going to experiment with obvious and not so obvious router
   misconfigurations

   The tools we've set up so far will give you a clue that something
   is happenning, but not necessarily what...

   
2. Swatch rules
   
   Let's add the following rules to /etc/swatch.conf:

	NOC-TLDX> sudo pico /etc/swatch.conf

# Cisco config
watchfor /SYS-5-CONFIG_I: Configured from (.*) by (.*) on (.*) (\(.*\))$/
	mail=monitoring,subject=Router config by $2 from $4

	... once that's done, restart swatch, 
	
 	NOC-TLDX> sudo kill -9 `ps ax | grep swatch | grep -v grep | awk '{ print $1 }'`

      NOC-TLDX> sudo swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon
	
   Ask Dr. Evil to re-run the attack

   What was the result -- did you notice anything?  Did you receive any
   information that something was happening before?