mirror of
https://github.com/Ponce/slackbuilds
synced 2024-10-03 07:54:34 +02:00
network/psad: Added (Intrusion Detection and Log Analysis).
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
parent
97e732d4e1
commit
ceb90dda6e
5 changed files with 217 additions and 0 deletions
27
network/psad/README
Normal file
27
network/psad/README
Normal file
|
@ -0,0 +1,27 @@
|
|||
psad (Intrusion Detection and Log Analysis with iptables)
|
||||
|
||||
psad is a collection of three lightweight system daemons (two main
|
||||
daemons and one helper daemon) that run on Linux machines and analyze
|
||||
iptables log messages to detect port scans and other suspicious traffic.
|
||||
A typical deployment is to run psad on the iptables firewall where it has
|
||||
the fastest access to log data.
|
||||
|
||||
You can set email for alerts by setting ALERTSEMAIL:
|
||||
|
||||
ALERTSEMAIL=alerts@example.com ./psad.SlackBuild
|
||||
|
||||
You need at least these rules:
|
||||
|
||||
iptables -A INPUT -j LOG
|
||||
iptables -A FORWARD -j LOG
|
||||
|
||||
but more usefull will be something like this:
|
||||
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
|
||||
iptables -A INPUT -j LOG
|
||||
iptables -A INPUT -j DROP
|
||||
|
||||
please see documentation for more information.
|
35
network/psad/doinst.sh
Normal file
35
network/psad/doinst.sh
Normal file
|
@ -0,0 +1,35 @@
|
|||
config() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
# If there's no config file by that name, mv it over:
|
||||
if [ ! -r $OLD ]; then
|
||||
mv $NEW $OLD
|
||||
elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
|
||||
# toss the redundant copy
|
||||
rm $NEW
|
||||
fi
|
||||
# Otherwise, we leave the .new copy for the admin to consider...
|
||||
}
|
||||
|
||||
preserve_perms() {
|
||||
NEW="$1"
|
||||
OLD="$(dirname $NEW)/$(basename $NEW .new)"
|
||||
if [ -e $OLD ]; then
|
||||
cp -a $OLD ${NEW}.incoming
|
||||
cat $NEW > ${NEW}.incoming
|
||||
mv ${NEW}.incoming $NEW
|
||||
fi
|
||||
config $NEW
|
||||
}
|
||||
|
||||
preserve_perms etc/rc.d/rc.psad.new
|
||||
config etc/psad/auto_dl.new
|
||||
config etc/psad/icmp6_types.new
|
||||
config etc/psad/icmp_types.new
|
||||
config etc/psad/ip_options.new
|
||||
config etc/psad/pf.os.new
|
||||
config etc/psad/posf.new
|
||||
config etc/psad/protocols.new
|
||||
config etc/psad/psad.conf.new
|
||||
config etc/psad/signatures.new
|
||||
config etc/psad/snort_rule_dl.new
|
126
network/psad/psad.SlackBuild
Normal file
126
network/psad/psad.SlackBuild
Normal file
|
@ -0,0 +1,126 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Slackware build script for psad
|
||||
|
||||
# Copyright 2017 Boris V. <david.cla2@gmail.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use of this script, with or without modification, is
|
||||
# permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of this script must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
|
||||
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
||||
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
||||
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
PRGNAM=psad
|
||||
VERSION=${VERSION:-2.4.3}
|
||||
BUILD=${BUILD:-1}
|
||||
TAG=${TAG:-_SBo}
|
||||
ALERTSEMAIL=${ALERTSEMAIL:-root@localhost}
|
||||
|
||||
SRCNAM="$(printf $PRGNAM | cut -d- -f2-)"
|
||||
|
||||
if [ -z "$ARCH" ]; then
|
||||
case "$( uname -m )" in
|
||||
i?86) ARCH=i586 ;;
|
||||
arm*) ARCH=arm ;;
|
||||
*) ARCH=$( uname -m ) ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
CWD=$(pwd)
|
||||
TMP=${TMP:-/tmp/SBo}
|
||||
PKG=$TMP/package-$PRGNAM
|
||||
OUTPUT=${OUTPUT:-/tmp}
|
||||
|
||||
set -e
|
||||
|
||||
rm -rf $PKG
|
||||
mkdir -p $TMP $PKG $OUTPUT
|
||||
cd $TMP
|
||||
rm -rf $SRCNAM-$VERSION
|
||||
tar xvf $CWD/$SRCNAM-$VERSION.tar.bz2
|
||||
mkdir -p $PKG/etc/rc.d
|
||||
mkdir -p $PKG/usr/bin
|
||||
cd $SRCNAM-$VERSION
|
||||
chown -R root:root .
|
||||
cat > install.answers <<EOF
|
||||
Would you like alerts sent to a different address: y;
|
||||
Email addresses: $ALERTSEMAIL;
|
||||
Would you like psad to only parse specific strings in iptables messages: n;
|
||||
FW search strings: psad;
|
||||
First is it ok to leave the HOME_NET setting as any: y;
|
||||
Would you like to enable DShield alerts: n;
|
||||
Would you like to install the latest signatures from http www cipherdyne org psad signatures: n;
|
||||
Enable psad at boot time: n;
|
||||
EOF
|
||||
find -L . \
|
||||
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
||||
-o -perm 511 \) -exec chmod 755 {} \; -o \
|
||||
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
||||
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
||||
|
||||
mkdir -p $PKG/var/log
|
||||
mkdir -p $PKG/var/lib
|
||||
mkdir -p $PKG/var/run
|
||||
|
||||
sed -i 's/ENABLE_PSADWATCHD N;/ENABLE_PSADWATCHD Y;/g' psad.conf
|
||||
sed -i "s|usr/share/man|usr/man|g" install.pl
|
||||
|
||||
perl install.pl \
|
||||
--install-root $PKG \
|
||||
--init-dir $PKG/etc/rc.d \
|
||||
--init-name rc.psad.new \
|
||||
--no-rm-lib-dir \
|
||||
--no-syslog-test \
|
||||
-U \
|
||||
-a $TMP/$SRCNAM-$VERSION/install.answers
|
||||
|
||||
|
||||
SRCPATH=${PKG//\//\\\/}
|
||||
SRCPATH2="$SRCPATH\/"
|
||||
DSTPATH="\/"
|
||||
|
||||
echo $SRCPATH
|
||||
echo $SRCPATH2
|
||||
find $PKG/ -type f -name '*.conf' -exec sed -i "s/$SRCPATH/$DSTPATH/g" {} +
|
||||
find $PKG/ -type f -regex '.*\.\(pod\|conf\|packlist\)' -exec sed -i "s/$SRCPATH2/$DSTPATH/g" {} +
|
||||
|
||||
mkdir -p $PKG/etc/logrotate.d
|
||||
cp logrotate.psad $PKG/etc/logrotate.d/
|
||||
|
||||
mv $PKG/etc/psad/auto_dl $PKG/etc/psad/auto_dl.new
|
||||
mv $PKG/etc/psad/icmp6_types $PKG/etc/psad/icmp6_types.new
|
||||
mv $PKG/etc/psad/icmp_types $PKG/etc/psad/icmp_types.new
|
||||
mv $PKG/etc/psad/ip_options $PKG/etc/psad/ip_options.new
|
||||
mv $PKG/etc/psad/pf.os $PKG/etc/psad/pf.os.new
|
||||
mv $PKG/etc/psad/posf $PKG/etc/psad/posf.new
|
||||
mv $PKG/etc/psad/protocols $PKG/etc/psad/protocols.new
|
||||
mv $PKG/etc/psad/psad.conf $PKG/etc/psad/psad.conf.new
|
||||
mv $PKG/etc/psad/signatures $PKG/etc/psad/signatures.new
|
||||
mv $PKG/etc/psad/snort_rule_dl $PKG/etc/psad/snort_rule_dl.new
|
||||
|
||||
sed -i 's/start)/start)\n mkdir -p \/var\/run\/psad/g' $PKG/etc/rc.d/rc.psad.new
|
||||
sed -i 's/\/var\/log\/messages;/\/var\/log\/syslog;/g' $PKG/etc/psad/psad.conf.new
|
||||
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cp -a BENCHMARK CREDITS ChangeLog FW_EXAMPLE_RULES FW_HELP LICENSE README* \
|
||||
$PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
|
||||
mkdir -p $PKG/install
|
||||
cat $CWD/doinst.sh > $PKG/install/doinst.sh
|
||||
cat $CWD/slack-desc > $PKG/install/slack-desc
|
||||
|
||||
cd $PKG
|
||||
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
|
10
network/psad/psad.info
Normal file
10
network/psad/psad.info
Normal file
|
@ -0,0 +1,10 @@
|
|||
PRGNAM="psad"
|
||||
VERSION="2.4.3"
|
||||
HOMEPAGE="http://www.cipherdyne.org/psad/"
|
||||
DOWNLOAD="http://www.cipherdyne.org/psad/download/psad-2.4.3.tar.bz2"
|
||||
MD5SUM="a0e51465ec662b4725a7018a9d2cda61"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
REQUIRES=""
|
||||
MAINTAINER="Boris V."
|
||||
EMAIL="david.cla2@gmail.com"
|
19
network/psad/slack-desc
Normal file
19
network/psad/slack-desc
Normal file
|
@ -0,0 +1,19 @@
|
|||
# HOW TO EDIT THIS FILE:
|
||||
# The "handy ruler" below makes it easier to edit a package description.
|
||||
# Line up the first '|' above the ':' following the base package name, and
|
||||
# the '|' on the right side marks the last column you can put a character in.
|
||||
# You must make exactly 11 lines for the formatting to be correct. It's also
|
||||
# customary to leave one space after the ':' except on otherwise blank lines.
|
||||
|
||||
|-----handy-ruler------------------------------------------------------|
|
||||
psad: psad (Intrusion Detection and Log Analysis with iptables)
|
||||
psad:
|
||||
psad: psad is a collection of three lightweight system daemons (two main
|
||||
psad: daemons and one helper daemon) that run on Linux machines and analyze
|
||||
psad: iptables log messages to detect port scans and other suspicious
|
||||
psad: traffic.
|
||||
psad: A typical deployment is to run psad on the iptables firewall where
|
||||
pas: it has the fastest access to log data.
|
||||
psad:
|
||||
psad: Homepage: http://www.cipherdyne.org/psad/
|
||||
psad:
|
Loading…
Reference in a new issue