diff options
| author | shannonjr <shannonjr@pkgsrc.org> | 2008-07-21 12:16:46 +0000 |
|---|---|---|
| committer | shannonjr <shannonjr@pkgsrc.org> | 2008-07-21 12:16:46 +0000 |
| commit | ca727cf206d32cf4ec861a72c30eded0410b4bff (patch) | |
| tree | 17cd53751ddade452a4ba7646b056219a0ce067e | |
| parent | 59829784a4662490c43f6aebb5558e0d76599b1d (diff) | |
| download | pkgsrc-ca727cf206d32cf4ec861a72c30eded0410b4bff.tar.gz | |
Prelude-Correlator serves to correlate, in real time, the multiple
events received by Prelude. Several isolated alerts, generated from
different probes, can thus trigger a single correlation alert should the
events be related. This correlation alert then appears within the
Prewikka interface and indicates the potential target information via
the set of correlation rules.
| -rw-r--r-- | security/prelude-correlator/DESCR | 9 | ||||
| -rw-r--r-- | security/prelude-correlator/Makefile | 72 | ||||
| -rw-r--r-- | security/prelude-correlator/PLIST | 17 | ||||
| -rw-r--r-- | security/prelude-correlator/distinfo | 8 | ||||
| -rw-r--r-- | security/prelude-correlator/files/preludecorrelator.sh | 26 | ||||
| -rw-r--r-- | security/prelude-correlator/files/run-prelude-correlator.c | 166 | ||||
| -rw-r--r-- | security/prelude-correlator/patches/patch-aa | 13 | ||||
| -rw-r--r-- | security/prelude-correlator/patches/patch-ab | 23 | ||||
| -rw-r--r-- | security/prelude-correlator/patches/patch-ac | 19 |
9 files changed, 353 insertions, 0 deletions
diff --git a/security/prelude-correlator/DESCR b/security/prelude-correlator/DESCR new file mode 100644 index 00000000000..cb8637f8e82 --- /dev/null +++ b/security/prelude-correlator/DESCR @@ -0,0 +1,9 @@ +Prelude-Correlator serves to correlate, in real time, the multiple +events received by Prelude. Several isolated alerts, generated +from different sensors, can thus trigger a single correlation +alert should the events be related. This correlation alert then +appears within the Prewikka interface and indicates the potential +target information via the set of correlation rules. + +Signature creation with Prelude-Correlator is based on the powerful +programming language Lua. diff --git a/security/prelude-correlator/Makefile b/security/prelude-correlator/Makefile new file mode 100644 index 00000000000..48bf3402f24 --- /dev/null +++ b/security/prelude-correlator/Makefile @@ -0,0 +1,72 @@ +# $NetBSD: Makefile,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ +# + +DISTNAME= prelude-correlator-0.9.0-beta3 +PKGNAME= prelude-correlator-${DISTNAME:S/-beta/beta/:C/.*-//} +CATEGORIES= security +MASTER_SITES= http://www.prelude-ids.com/download/releases/prelude-correlator/ + +MAINTAINER= shannonjr@NetBSD.org +HOMEPAGE= http://www.prelude-ids.com/download/releases/prelude-correlator/ +COMMENT= Intrusion event correlation engine + +USE_LIBTOOL= yes +GNU_CONFIGURE= yes +USE_TOOLS+= make +USE_TOOLS+= pkg-config +BUILD_DEFS+= VARBASE +CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} +CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} +CONFIGURE_ARGS+= --with-libpreludedb-prefix=${BUILDLINK_PREFIX.libpreludedb} +RCD_SCRIPTS= preludecorrelator +PRELUDE_CORRELATOR_PID_DIR= ${VARBASE}/run/prelude-correlator +PRELUDE_USER?= _prelude +PRELUDE_GROUP?= _prelude +PRELUDE_HOME?= ${VARBASE}/prelude-correlator + +INSTALLATION_DIRS= sbin + +PKG_GROUPS_VARS+= PRELUDE_GROUP +PKG_USERS_VARS+= PRELUDE_USER + +PKG_GROUPS= ${PRELUDE_GROUP} +PKG_USERS= ${PRELUDE_USER}:${PRELUDE_GROUP} + +PKG_GECOS.${PRELUDE_USER}= Prelude IDS correlator +PKG_HOME.${PRELUDE_USER}= ${PRELUDE_HOME} + +FILES_SUBST+= PRELUDE_CORRELATOR_PID_DIR=${PRELUDE_CORRELATOR_PID_DIR:Q} +FILES_SUBST+= PRELUDE_USER=${PRELUDE_USER:Q} +FILES_SUBST+= PRELUDE_GROUP=${PRELUDE_USER:Q} + +EGDIR= share/examples/prelude-correlator/ +REQD_DIRS= ${EGDIR} +REQD_DIRS+= ${EGDIR}/lua-rules +CONF_FILES_PERMS+= ${EGDIR}/prelude-correlator.conf ${PKG_SYSCONFDIR}/prelude-correlator/prelude-correlator.conf \ + ${ROOT_USER} ${ROOT_GROUP} 0644 + +SUBST_CLASSES+= code +SUBST_STAGE.code= post-patch +SUBST_FILES.code= run-prelude-correlator.c +SUBST_SED.code= -e 's,@PREFIX@,${PREFIX},g' +SUBST_SED.code+= -e 's,@PRELUDE_USER@,${PRELUDE_USER},g' + +SUBST_CLASSES+= make +SUBST_STAGE.make= post-patch +SUBST_FILES.make= Makefile.in +SUBST_SED.make= -e 's,@EGDIR@,${EGDIR},g' + +pre-patch: + ${CP} ${FILESDIR}/run-prelude-correlator.c ${WRKSRC} + +post-build: + cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${CC} ${CFLAGS} -o run-prelude-correlator run-prelude-correlator.c + +post-install: + ${INSTALL_PROGRAM} ${WRKSRC}/run-prelude-correlator ${PREFIX}/sbin/run-prelude-correlator + ${CHOWN} -R ${PRELUDE_USER}:${PRELUDE_GROUP} ${PRELUDE_HOME} + +.include "../../security/libprelude/buildlink3.mk" +.include "../../lang/lua/buildlink3.mk" +.include "../../devel/pcre/buildlink3.mk" +.include "../../mk/bsd.pkg.mk" diff --git a/security/prelude-correlator/PLIST b/security/prelude-correlator/PLIST new file mode 100644 index 00000000000..b0c20bc0086 --- /dev/null +++ b/security/prelude-correlator/PLIST @@ -0,0 +1,17 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ +bin/prelude-correlator +sbin/run-prelude-correlator +include/prelude-correlator/prelude-correlator.h +lib/prelude-correlator/lua.la +share/examples/prelude-correlator/prelude-correlator.conf +share/examples/rc.d/preludecorrelator +share/examples/prelude-correlator/lua-rules/brute-force.lua +share/examples/prelude-correlator/lua-rules/business-hour.lua +share/examples/prelude-correlator/lua-rules/firewall.lua +share/examples/prelude-correlator/lua-rules/scan.lua +share/examples/prelude-correlator/lua-rules/worm.lua +share/prelude-correlator/lua/lib.lua +@dirrm share/prelude-correlator/lua +@dirrm share/examples/prelude-correlator +@dirrm lib/prelude-correlator +@dirrm include/prelude-correlator diff --git a/security/prelude-correlator/distinfo b/security/prelude-correlator/distinfo new file mode 100644 index 00000000000..21e17fb5ab0 --- /dev/null +++ b/security/prelude-correlator/distinfo @@ -0,0 +1,8 @@ +$NetBSD: distinfo,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ + +SHA1 (prelude-correlator-0.9.0-beta3.tar.gz) = fbceb04a42f267bf841bbf1ae501dc01c8ca2544 +RMD160 (prelude-correlator-0.9.0-beta3.tar.gz) = 18a9a566410ac90f957b68a4ee034a2ff94b8a3e +Size (prelude-correlator-0.9.0-beta3.tar.gz) = 397813 bytes +SHA1 (patch-aa) = aa4cbb04d5898c91578a36c279b8ca7b216ab695 +SHA1 (patch-ab) = 37d78dfd38965e6d7027a85ae0493f2071398713 +SHA1 (patch-ac) = 755852732c57563792f2ef9ae693a75045d962e7 diff --git a/security/prelude-correlator/files/preludecorrelator.sh b/security/prelude-correlator/files/preludecorrelator.sh new file mode 100644 index 00000000000..c3a7b281eca --- /dev/null +++ b/security/prelude-correlator/files/preludecorrelator.sh @@ -0,0 +1,26 @@ +#!/bin/sh +# +# $NetBSD: preludecorrelator.sh,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ +# + +# PROVIDE: preludecorrelator +# REQUIRE: LOGIN + +$_rc_subr_loaded . /etc/rc.subr + +name="preludecorrelator" +procname="@PREFIX@/bin/prelude-correlator" +rcvar=${name} +required_files="@PKG_SYSCONFDIR@/prelude-correlator/prelude-correlator.conf" +start_precmd="correlator_precommand" +start_cmd="@PREFIX@/sbin/run-prelude-correlator --pidfile @PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid --daemon" +pidfile="@PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid" + +correlator_precommand() +{ + /bin/mkdir -p @PRELUDE_CORRELATOR_PID_DIR@ + /usr/sbin/chown @PRELUDE_USER@:@PRELUDE_GROUP@ @PRELUDE_CORRELATOR_PID_DIR@ +} + +load_rc_config $name +run_rc_command "$1" diff --git a/security/prelude-correlator/files/run-prelude-correlator.c b/security/prelude-correlator/files/run-prelude-correlator.c new file mode 100644 index 00000000000..3ea870fd727 --- /dev/null +++ b/security/prelude-correlator/files/run-prelude-correlator.c @@ -0,0 +1,166 @@ +#define PRELUDE_CORRELATOR_USER "@PRELUDE_USER@" +#define PRELUDE_CORRELATOR_PATH "@PREFIX@/bin/prelude-correlator" + +#include <unistd.h> +#include <string.h> +#include <stdio.h> +#include <errno.h> +#include <stdlib.h> +#include <sys/wait.h> +#include <pwd.h> +#include <syslog.h> + +#define MAX_ARGS 40 +#ifndef TRUE +#define TRUE 1 +#endif /* TRUE */ + +#ifndef FALSE +#define FALSE 0 +#endif /* FALSE */ + + +void error_sys(char *str) + +{ + /* Output error message to syslog */ + char msg[1024]; + snprintf(msg, sizeof(msg), "run-prelude-correlator : %s : %s", str, strerror(errno)); + syslog(LOG_ALERT, msg); + +} + + +int obtainUIDandGID(const char *name, uid_t *pw_uid, gid_t *pw_gid) +{ + /* Obtain UID and GID from passwd entry identified by name */ + struct passwd *pw_entry; + char msg[100]; + + if ((pw_entry = getpwnam(name)) == NULL) + { + snprintf(msg, sizeof(msg), "failed to get password entry for %s", name); + error_sys(msg); + return FALSE; + } + else + { + *pw_uid = pw_entry->pw_uid; + *pw_gid = pw_entry->pw_gid; + return TRUE; + + } +} + + +int main (int argc, char **argv ) + +{ + + pid_t pid; + uid_t UID; + gid_t GID; + pid_t pidwait; + int waitstat; + int s; + int max_fd; + + /* Sanity check */ + if (argc > MAX_ARGS) + { + error_sys("arg buffer too small"); + exit(-1); + } + + if (geteuid() != 0) + { + error_sys("must be called by root"); + exit(-1); + } + + /* fork child that will become prelude-correlator */ + if ((pid = fork()) < 0) + + error_sys("fork error"); + + else + + { + + if (pid == 0) + + { + + /* We're the child */ + char *args[MAX_ARGS]; + unsigned int i; + + /* Become session leader */ + setsid(); + + /* Change working directory to root directory. + The current working directory could be a mounted + filesystem; if the daemon stays on a mounted + filesystem it could prevent the filesystem from + being umounted. */ + chdir("/"); + + /* Clear out file creation mask */ + umask(0); + + /* Close unneeded file descriptors */ + max_fd = (int) sysconf(_SC_OPEN_MAX); + if (max_fd == -1) + max_fd = getdtablesize(); + for (s = 3; s < max_fd; s++) + (void) close(s); + + if (!obtainUIDandGID(PRELUDE_CORRELATOR_USER, &UID, &GID)) + exit(-1); + + /* Drop privileges immediately */ + if (setgid(GID) < 0) + { + /* It is VERY important to check return + value and not continue if setgid fails + */ + error_sys ("setgid failed"); + exit (-1); + } + + if (setuid(UID) < 0) + { + /* It is VERY important to check return + value and not continue if setuid fails + */ + error_sys ("setuid failed"); + exit (-1); + } + + /* Build calling argv */ + args[0] = PRELUDE_CORRELATOR_PATH; + for (i=1;i<argc;i++) + { + args[i] = argv[i]; + } + args[i++] = NULL; + + /* Finally transform self into prelude-correlator */ + if (execvp(PRELUDE_CORRELATOR_PATH, args) < 0) + error_sys("execve error"); + else + ; /* avoid if-then ambiguity */ + } + + else + + { + /* We're the parent + Terminate + */ + exit(0); + } + + } + +} diff --git a/security/prelude-correlator/patches/patch-aa b/security/prelude-correlator/patches/patch-aa new file mode 100644 index 00000000000..a2352be720f --- /dev/null +++ b/security/prelude-correlator/patches/patch-aa @@ -0,0 +1,13 @@ +$NetBSD: patch-aa,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ + +--- configure.orig 2008-06-29 05:41:00.000000000 -0600 ++++ configure +@@ -25519,7 +25519,7 @@ fi + PRELUDE_CORRELATOR_CONF=$SYSCONFDIR/prelude-correlator/prelude-correlator.conf + + +-PRELUDE_CORRELATOR_CONTEXT_DIR=$LOCALSTATEDIR/lib/prelude-correlator ++PRELUDE_CORRELATOR_CONTEXT_DIR=$LOCALSTATEDIR/prelude-correlator + + + PRELUDE_CORRELATOR_CONFDIR=$SYSCONFDIR/prelude-correlator diff --git a/security/prelude-correlator/patches/patch-ab b/security/prelude-correlator/patches/patch-ab new file mode 100644 index 00000000000..1027cb2121e --- /dev/null +++ b/security/prelude-correlator/patches/patch-ab @@ -0,0 +1,23 @@ +$NetBSD: patch-ab,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ + +--- Makefile.in.orig 2008-06-27 11:54:12.000000000 -0600 ++++ Makefile.in +@@ -733,17 +733,7 @@ uninstall-info: uninstall-info-recursive + + install-data-local: + $(INSTALL) -m 700 -d $(DESTDIR)$(PRELUDE_CORRELATOR_CONTEXT_DIR) +- @if test -f $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR)/prelude-correlator.conf; then \ +- echo "********************************************************************************"; \ +- echo; \ +- echo "$(DESTDIR)$(configdir)/prelude-correlator.conf already exist..."; \ +- echo "Installing default configuration in $(DESTDIR)$(configdir)/prelude-correlator.conf-dist"; \ +- echo; \ +- echo "********************************************************************************"; \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-correlator.conf $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR)/prelude-correlator.conf-dist; \ +- else \ +- $(INSTALL) -m 600 $(top_srcdir)/prelude-correlator.conf $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR); \ +- fi ++ $(BSD_INSTALL_DATA) $(top_srcdir)/prelude-correlator.conf $(PREFIX)/@EGDIR@ + + uninstall-local: + rm -f $(DESTDIR)$(configdir)/prelude-correlator.conf; diff --git a/security/prelude-correlator/patches/patch-ac b/security/prelude-correlator/patches/patch-ac new file mode 100644 index 00000000000..e4af1054449 --- /dev/null +++ b/security/prelude-correlator/patches/patch-ac @@ -0,0 +1,19 @@ +$NetBSD: patch-ac,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $ + +--- ./plugins/lua/ruleset/Makefile.in.orig 2008-07-11 06:41:49.000000000 -0600 ++++ ./plugins/lua/ruleset/Makefile.in +@@ -321,12 +321,11 @@ distclean-libtool: + uninstall-info-am: + install-rulesetDATA: $(ruleset_DATA) + @$(NORMAL_INSTALL) +- test -z "$(rulesetdir)" || $(mkdir_p) "$(DESTDIR)$(rulesetdir)" + @list='$(ruleset_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ +- echo " $(rulesetDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(rulesetdir)/$$f'"; \ +- $(rulesetDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(rulesetdir)/$$f"; \ ++ echo " $(rulesetDATA_INSTALL) '$$d$$p' '$(PREFIX)/share/examples/prelude-correlator/lua-rules/$$f'"; \ ++ $(rulesetDATA_INSTALL) "$$d$$p" "$(PREFIX)/share/examples/prelude-correlator/lua-rules/$$f"; \ + done + + uninstall-rulesetDATA: |