aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBoris V <david.cla2@gmail.com>2017-01-30 19:06:04 +0700
committerWilly Sudiarto Raharjo <willysr@slackbuilds.org>2017-02-03 04:33:11 +0700
commitceb90dda6ed16f2640fb7f54a66633d9463e5529 (patch)
tree53a5b18de3df3a59460bf2d03738ab3bc9d71b60
parent97e732d4e19c476dfd06da5d332f98f8d5aa272d (diff)
network/psad: Added (Intrusion Detection and Log Analysis).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
-rw-r--r--network/psad/README27
-rw-r--r--network/psad/doinst.sh35
-rw-r--r--network/psad/psad.SlackBuild126
-rw-r--r--network/psad/psad.info10
-rw-r--r--network/psad/slack-desc19
5 files changed, 217 insertions, 0 deletions
diff --git a/network/psad/README b/network/psad/README
new file mode 100644
index 000000000000..524336af6145
--- /dev/null
+++ b/network/psad/README
@@ -0,0 +1,27 @@
+psad (Intrusion Detection and Log Analysis with iptables)
+
+psad is a collection of three lightweight system daemons (two main
+daemons and one helper daemon) that run on Linux machines and analyze
+iptables log messages to detect port scans and other suspicious traffic.
+A typical deployment is to run psad on the iptables firewall where it has
+the fastest access to log data.
+
+You can set email for alerts by setting ALERTSEMAIL:
+
+ALERTSEMAIL=alerts@example.com ./psad.SlackBuild
+
+You need at least these rules:
+
+iptables -A INPUT -j LOG
+iptables -A FORWARD -j LOG
+
+but more usefull will be something like this:
+
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -j LOG
+iptables -A INPUT -j DROP
+
+please see documentation for more information.
diff --git a/network/psad/doinst.sh b/network/psad/doinst.sh
new file mode 100644
index 000000000000..740c9470bc11
--- /dev/null
+++ b/network/psad/doinst.sh
@@ -0,0 +1,35 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+ # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ if [ -e $OLD ]; then
+ cp -a $OLD ${NEW}.incoming
+ cat $NEW > ${NEW}.incoming
+ mv ${NEW}.incoming $NEW
+ fi
+ config $NEW
+}
+
+preserve_perms etc/rc.d/rc.psad.new
+config etc/psad/auto_dl.new
+config etc/psad/icmp6_types.new
+config etc/psad/icmp_types.new
+config etc/psad/ip_options.new
+config etc/psad/pf.os.new
+config etc/psad/posf.new
+config etc/psad/protocols.new
+config etc/psad/psad.conf.new
+config etc/psad/signatures.new
+config etc/psad/snort_rule_dl.new
diff --git a/network/psad/psad.SlackBuild b/network/psad/psad.SlackBuild
new file mode 100644
index 000000000000..d60dcdf5a715
--- /dev/null
+++ b/network/psad/psad.SlackBuild
@@ -0,0 +1,126 @@
+#!/bin/sh
+
+# Slackware build script for psad
+
+# Copyright 2017 Boris V. <david.cla2@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+PRGNAM=psad
+VERSION=${VERSION:-2.4.3}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+ALERTSEMAIL=${ALERTSEMAIL:-root@localhost}
+
+SRCNAM="$(printf $PRGNAM | cut -d- -f2-)"
+
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) ARCH=i586 ;;
+ arm*) ARCH=arm ;;
+ *) ARCH=$( uname -m ) ;;
+ esac
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $SRCNAM-$VERSION
+tar xvf $CWD/$SRCNAM-$VERSION.tar.bz2
+mkdir -p $PKG/etc/rc.d
+mkdir -p $PKG/usr/bin
+cd $SRCNAM-$VERSION
+chown -R root:root .
+cat > install.answers <<EOF
+Would you like alerts sent to a different address: y;
+Email addresses: $ALERTSEMAIL;
+Would you like psad to only parse specific strings in iptables messages: n;
+FW search strings: psad;
+First is it ok to leave the HOME_NET setting as any: y;
+Would you like to enable DShield alerts: n;
+Would you like to install the latest signatures from http www cipherdyne org psad signatures: n;
+Enable psad at boot time: n;
+EOF
+find -L . \
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+ -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
+ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+mkdir -p $PKG/var/log
+mkdir -p $PKG/var/lib
+mkdir -p $PKG/var/run
+
+sed -i 's/ENABLE_PSADWATCHD N;/ENABLE_PSADWATCHD Y;/g' psad.conf
+sed -i "s|usr/share/man|usr/man|g" install.pl
+
+perl install.pl \
+ --install-root $PKG \
+ --init-dir $PKG/etc/rc.d \
+ --init-name rc.psad.new \
+ --no-rm-lib-dir \
+ --no-syslog-test \
+ -U \
+ -a $TMP/$SRCNAM-$VERSION/install.answers
+
+
+SRCPATH=${PKG//\//\\\/}
+SRCPATH2="$SRCPATH\/"
+DSTPATH="\/"
+
+echo $SRCPATH
+echo $SRCPATH2
+find $PKG/ -type f -name '*.conf' -exec sed -i "s/$SRCPATH/$DSTPATH/g" {} +
+find $PKG/ -type f -regex '.*\.\(pod\|conf\|packlist\)' -exec sed -i "s/$SRCPATH2/$DSTPATH/g" {} +
+
+mkdir -p $PKG/etc/logrotate.d
+cp logrotate.psad $PKG/etc/logrotate.d/
+
+mv $PKG/etc/psad/auto_dl $PKG/etc/psad/auto_dl.new
+mv $PKG/etc/psad/icmp6_types $PKG/etc/psad/icmp6_types.new
+mv $PKG/etc/psad/icmp_types $PKG/etc/psad/icmp_types.new
+mv $PKG/etc/psad/ip_options $PKG/etc/psad/ip_options.new
+mv $PKG/etc/psad/pf.os $PKG/etc/psad/pf.os.new
+mv $PKG/etc/psad/posf $PKG/etc/psad/posf.new
+mv $PKG/etc/psad/protocols $PKG/etc/psad/protocols.new
+mv $PKG/etc/psad/psad.conf $PKG/etc/psad/psad.conf.new
+mv $PKG/etc/psad/signatures $PKG/etc/psad/signatures.new
+mv $PKG/etc/psad/snort_rule_dl $PKG/etc/psad/snort_rule_dl.new
+
+sed -i 's/start)/start)\n mkdir -p \/var\/run\/psad/g' $PKG/etc/rc.d/rc.psad.new
+sed -i 's/\/var\/log\/messages;/\/var\/log\/syslog;/g' $PKG/etc/psad/psad.conf.new
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a BENCHMARK CREDITS ChangeLog FW_EXAMPLE_RULES FW_HELP LICENSE README* \
+ $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/network/psad/psad.info b/network/psad/psad.info
new file mode 100644
index 000000000000..f9f1912075eb
--- /dev/null
+++ b/network/psad/psad.info
@@ -0,0 +1,10 @@
+PRGNAM="psad"
+VERSION="2.4.3"
+HOMEPAGE="http://www.cipherdyne.org/psad/"
+DOWNLOAD="http://www.cipherdyne.org/psad/download/psad-2.4.3.tar.bz2"
+MD5SUM="a0e51465ec662b4725a7018a9d2cda61"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES=""
+MAINTAINER="Boris V."
+EMAIL="david.cla2@gmail.com"
diff --git a/network/psad/slack-desc b/network/psad/slack-desc
new file mode 100644
index 000000000000..ce95b9bb64ca
--- /dev/null
+++ b/network/psad/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+ |-----handy-ruler------------------------------------------------------|
+psad: psad (Intrusion Detection and Log Analysis with iptables)
+psad:
+psad: psad is a collection of three lightweight system daemons (two main
+psad: daemons and one helper daemon) that run on Linux machines and analyze
+psad: iptables log messages to detect port scans and other suspicious
+psad: traffic.
+psad: A typical deployment is to run psad on the iptables firewall where
+pas: it has the fastest access to log data.
+psad:
+psad: Homepage: http://www.cipherdyne.org/psad/
+psad: