diff options
author | Boris V <david.cla2@gmail.com> | 2017-01-30 19:06:04 +0700 |
---|---|---|
committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2017-02-03 04:33:11 +0700 |
commit | ceb90dda6ed16f2640fb7f54a66633d9463e5529 (patch) | |
tree | 53a5b18de3df3a59460bf2d03738ab3bc9d71b60 | |
parent | 97e732d4e19c476dfd06da5d332f98f8d5aa272d (diff) |
network/psad: Added (Intrusion Detection and Log Analysis).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
-rw-r--r-- | network/psad/README | 27 | ||||
-rw-r--r-- | network/psad/doinst.sh | 35 | ||||
-rw-r--r-- | network/psad/psad.SlackBuild | 126 | ||||
-rw-r--r-- | network/psad/psad.info | 10 | ||||
-rw-r--r-- | network/psad/slack-desc | 19 |
5 files changed, 217 insertions, 0 deletions
diff --git a/network/psad/README b/network/psad/README new file mode 100644 index 000000000000..524336af6145 --- /dev/null +++ b/network/psad/README @@ -0,0 +1,27 @@ +psad (Intrusion Detection and Log Analysis with iptables) + +psad is a collection of three lightweight system daemons (two main +daemons and one helper daemon) that run on Linux machines and analyze +iptables log messages to detect port scans and other suspicious traffic. +A typical deployment is to run psad on the iptables firewall where it has +the fastest access to log data. + +You can set email for alerts by setting ALERTSEMAIL: + +ALERTSEMAIL=alerts@example.com ./psad.SlackBuild + +You need at least these rules: + +iptables -A INPUT -j LOG +iptables -A FORWARD -j LOG + +but more usefull will be something like this: + +iptables -A INPUT -i lo -j ACCEPT +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A INPUT -p tcp --dport 80 -j ACCEPT +iptables -A INPUT -j LOG +iptables -A INPUT -j DROP + +please see documentation for more information. diff --git a/network/psad/doinst.sh b/network/psad/doinst.sh new file mode 100644 index 000000000000..740c9470bc11 --- /dev/null +++ b/network/psad/doinst.sh @@ -0,0 +1,35 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.psad.new +config etc/psad/auto_dl.new +config etc/psad/icmp6_types.new +config etc/psad/icmp_types.new +config etc/psad/ip_options.new +config etc/psad/pf.os.new +config etc/psad/posf.new +config etc/psad/protocols.new +config etc/psad/psad.conf.new +config etc/psad/signatures.new +config etc/psad/snort_rule_dl.new diff --git a/network/psad/psad.SlackBuild b/network/psad/psad.SlackBuild new file mode 100644 index 000000000000..d60dcdf5a715 --- /dev/null +++ b/network/psad/psad.SlackBuild @@ -0,0 +1,126 @@ +#!/bin/sh + +# Slackware build script for psad + +# Copyright 2017 Boris V. <david.cla2@gmail.com> +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=psad +VERSION=${VERSION:-2.4.3} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +ALERTSEMAIL=${ALERTSEMAIL:-root@localhost} + +SRCNAM="$(printf $PRGNAM | cut -d- -f2-)" + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $SRCNAM-$VERSION +tar xvf $CWD/$SRCNAM-$VERSION.tar.bz2 +mkdir -p $PKG/etc/rc.d +mkdir -p $PKG/usr/bin +cd $SRCNAM-$VERSION +chown -R root:root . +cat > install.answers <<EOF +Would you like alerts sent to a different address: y; +Email addresses: $ALERTSEMAIL; +Would you like psad to only parse specific strings in iptables messages: n; +FW search strings: psad; +First is it ok to leave the HOME_NET setting as any: y; +Would you like to enable DShield alerts: n; +Would you like to install the latest signatures from http www cipherdyne org psad signatures: n; +Enable psad at boot time: n; +EOF +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +mkdir -p $PKG/var/log +mkdir -p $PKG/var/lib +mkdir -p $PKG/var/run + +sed -i 's/ENABLE_PSADWATCHD N;/ENABLE_PSADWATCHD Y;/g' psad.conf +sed -i "s|usr/share/man|usr/man|g" install.pl + +perl install.pl \ + --install-root $PKG \ + --init-dir $PKG/etc/rc.d \ + --init-name rc.psad.new \ + --no-rm-lib-dir \ + --no-syslog-test \ + -U \ + -a $TMP/$SRCNAM-$VERSION/install.answers + + +SRCPATH=${PKG//\//\\\/} +SRCPATH2="$SRCPATH\/" +DSTPATH="\/" + +echo $SRCPATH +echo $SRCPATH2 +find $PKG/ -type f -name '*.conf' -exec sed -i "s/$SRCPATH/$DSTPATH/g" {} + +find $PKG/ -type f -regex '.*\.\(pod\|conf\|packlist\)' -exec sed -i "s/$SRCPATH2/$DSTPATH/g" {} + + +mkdir -p $PKG/etc/logrotate.d +cp logrotate.psad $PKG/etc/logrotate.d/ + +mv $PKG/etc/psad/auto_dl $PKG/etc/psad/auto_dl.new +mv $PKG/etc/psad/icmp6_types $PKG/etc/psad/icmp6_types.new +mv $PKG/etc/psad/icmp_types $PKG/etc/psad/icmp_types.new +mv $PKG/etc/psad/ip_options $PKG/etc/psad/ip_options.new +mv $PKG/etc/psad/pf.os $PKG/etc/psad/pf.os.new +mv $PKG/etc/psad/posf $PKG/etc/psad/posf.new +mv $PKG/etc/psad/protocols $PKG/etc/psad/protocols.new +mv $PKG/etc/psad/psad.conf $PKG/etc/psad/psad.conf.new +mv $PKG/etc/psad/signatures $PKG/etc/psad/signatures.new +mv $PKG/etc/psad/snort_rule_dl $PKG/etc/psad/snort_rule_dl.new + +sed -i 's/start)/start)\n mkdir -p \/var\/run\/psad/g' $PKG/etc/rc.d/rc.psad.new +sed -i 's/\/var\/log\/messages;/\/var\/log\/syslog;/g' $PKG/etc/psad/psad.conf.new + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a BENCHMARK CREDITS ChangeLog FW_EXAMPLE_RULES FW_HELP LICENSE README* \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/doinst.sh > $PKG/install/doinst.sh +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/psad/psad.info b/network/psad/psad.info new file mode 100644 index 000000000000..f9f1912075eb --- /dev/null +++ b/network/psad/psad.info @@ -0,0 +1,10 @@ +PRGNAM="psad" +VERSION="2.4.3" +HOMEPAGE="http://www.cipherdyne.org/psad/" +DOWNLOAD="http://www.cipherdyne.org/psad/download/psad-2.4.3.tar.bz2" +MD5SUM="a0e51465ec662b4725a7018a9d2cda61" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="" +MAINTAINER="Boris V." +EMAIL="david.cla2@gmail.com" diff --git a/network/psad/slack-desc b/network/psad/slack-desc new file mode 100644 index 000000000000..ce95b9bb64ca --- /dev/null +++ b/network/psad/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +psad: psad (Intrusion Detection and Log Analysis with iptables) +psad: +psad: psad is a collection of three lightweight system daemons (two main +psad: daemons and one helper daemon) that run on Linux machines and analyze +psad: iptables log messages to detect port scans and other suspicious +psad: traffic. +psad: A typical deployment is to run psad on the iptables firewall where +pas: it has the fastest access to log data. +psad: +psad: Homepage: http://www.cipherdyne.org/psad/ +psad: |