pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/prelude-correlator Prelude-Correlator serves ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/9f46c1221df5
branches:  trunk
changeset: 544870:9f46c1221df5
user:      shannonjr <shannonjr%pkgsrc.org@localhost>
date:      Mon Jul 21 12:16:46 2008 +0000

description:
Prelude-Correlator serves to correlate, in real time, the multiple
events received by Prelude. Several isolated alerts, generated from
different probes, can thus trigger a single correlation alert should the
events be related. This correlation alert then appears within the
Prewikka interface and indicates the potential target information via
the set of correlation rules.

diffstat:

 security/prelude-correlator/DESCR                          |    9 +
 security/prelude-correlator/Makefile                       |   72 +++++
 security/prelude-correlator/PLIST                          |   17 +
 security/prelude-correlator/distinfo                       |    8 +
 security/prelude-correlator/files/preludecorrelator.sh     |   26 ++
 security/prelude-correlator/files/run-prelude-correlator.c |  166 +++++++++++++
 security/prelude-correlator/patches/patch-aa               |   13 +
 security/prelude-correlator/patches/patch-ab               |   23 +
 security/prelude-correlator/patches/patch-ac               |   19 +
 9 files changed, 353 insertions(+), 0 deletions(-)

diffs (truncated from 389 to 300 lines):

diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/DESCR
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/DESCR Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,9 @@
+Prelude-Correlator serves to correlate, in real time, the multiple
+events received by Prelude. Several isolated alerts, generated
+from different sensors, can thus trigger a single correlation
+alert should the events be related. This correlation alert then
+appears within the Prewikka interface and indicates the potential
+target information via the set of correlation rules.
+
+Signature creation with Prelude-Correlator is based on the powerful
+programming language Lua.
diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/Makefile      Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,72 @@
+# $NetBSD: Makefile,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
+#
+
+DISTNAME=      prelude-correlator-0.9.0-beta3
+PKGNAME=       prelude-correlator-${DISTNAME:S/-beta/beta/:C/.*-//}
+CATEGORIES=    security
+MASTER_SITES=  http://www.prelude-ids.com/download/releases/prelude-correlator/
+
+MAINTAINER=    shannonjr%NetBSD.org@localhost
+HOMEPAGE=      http://www.prelude-ids.com/download/releases/prelude-correlator/
+COMMENT=       Intrusion event correlation engine
+
+USE_LIBTOOL=           yes
+GNU_CONFIGURE=         yes
+USE_TOOLS+=            make
+USE_TOOLS+=            pkg-config
+BUILD_DEFS+=           VARBASE
+CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR:Q}
+CONFIGURE_ARGS+=       --localstatedir=${VARBASE:Q}
+CONFIGURE_ARGS+=       --with-libpreludedb-prefix=${BUILDLINK_PREFIX.libpreludedb}
+RCD_SCRIPTS=           preludecorrelator
+PRELUDE_CORRELATOR_PID_DIR=    ${VARBASE}/run/prelude-correlator
+PRELUDE_USER?=         _prelude
+PRELUDE_GROUP?=                _prelude
+PRELUDE_HOME?=         ${VARBASE}/prelude-correlator
+
+INSTALLATION_DIRS=     sbin
+
+PKG_GROUPS_VARS+=      PRELUDE_GROUP
+PKG_USERS_VARS+=       PRELUDE_USER
+
+PKG_GROUPS=            ${PRELUDE_GROUP}
+PKG_USERS=             ${PRELUDE_USER}:${PRELUDE_GROUP}
+
+PKG_GECOS.${PRELUDE_USER}=     Prelude IDS correlator
+PKG_HOME.${PRELUDE_USER}=      ${PRELUDE_HOME}
+
+FILES_SUBST+=   PRELUDE_CORRELATOR_PID_DIR=${PRELUDE_CORRELATOR_PID_DIR:Q}
+FILES_SUBST+=   PRELUDE_USER=${PRELUDE_USER:Q}
+FILES_SUBST+=   PRELUDE_GROUP=${PRELUDE_USER:Q}
+
+EGDIR=                 share/examples/prelude-correlator/
+REQD_DIRS=             ${EGDIR}
+REQD_DIRS+=            ${EGDIR}/lua-rules
+CONF_FILES_PERMS+=     ${EGDIR}/prelude-correlator.conf ${PKG_SYSCONFDIR}/prelude-correlator/prelude-correlator.conf \
+                       ${ROOT_USER} ${ROOT_GROUP} 0644
+
+SUBST_CLASSES+=                code
+SUBST_STAGE.code=      post-patch
+SUBST_FILES.code=      run-prelude-correlator.c
+SUBST_SED.code=                -e 's,@PREFIX@,${PREFIX},g'
+SUBST_SED.code+=       -e 's,@PRELUDE_USER@,${PRELUDE_USER},g'
+
+SUBST_CLASSES+=                make
+SUBST_STAGE.make=      post-patch
+SUBST_FILES.make=      Makefile.in
+SUBST_SED.make=                -e 's,@EGDIR@,${EGDIR},g'
+
+pre-patch:
+       ${CP} ${FILESDIR}/run-prelude-correlator.c ${WRKSRC}
+
+post-build:
+       cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${CC} ${CFLAGS} -o run-prelude-correlator run-prelude-correlator.c
+
+post-install:
+       ${INSTALL_PROGRAM} ${WRKSRC}/run-prelude-correlator ${PREFIX}/sbin/run-prelude-correlator
+       ${CHOWN} -R ${PRELUDE_USER}:${PRELUDE_GROUP} ${PRELUDE_HOME}
+
+.include "../../security/libprelude/buildlink3.mk"
+.include "../../lang/lua/buildlink3.mk"
+.include "../../devel/pcre/buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/PLIST
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/PLIST Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,17 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
+bin/prelude-correlator
+sbin/run-prelude-correlator
+include/prelude-correlator/prelude-correlator.h
+lib/prelude-correlator/lua.la
+share/examples/prelude-correlator/prelude-correlator.conf
+share/examples/rc.d/preludecorrelator
+share/examples/prelude-correlator/lua-rules/brute-force.lua
+share/examples/prelude-correlator/lua-rules/business-hour.lua
+share/examples/prelude-correlator/lua-rules/firewall.lua
+share/examples/prelude-correlator/lua-rules/scan.lua
+share/examples/prelude-correlator/lua-rules/worm.lua
+share/prelude-correlator/lua/lib.lua
+@dirrm share/prelude-correlator/lua
+@dirrm share/examples/prelude-correlator
+@dirrm lib/prelude-correlator
+@dirrm include/prelude-correlator
diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/distinfo
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/distinfo      Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,8 @@
+$NetBSD: distinfo,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
+
+SHA1 (prelude-correlator-0.9.0-beta3.tar.gz) = fbceb04a42f267bf841bbf1ae501dc01c8ca2544
+RMD160 (prelude-correlator-0.9.0-beta3.tar.gz) = 18a9a566410ac90f957b68a4ee034a2ff94b8a3e
+Size (prelude-correlator-0.9.0-beta3.tar.gz) = 397813 bytes
+SHA1 (patch-aa) = aa4cbb04d5898c91578a36c279b8ca7b216ab695
+SHA1 (patch-ab) = 37d78dfd38965e6d7027a85ae0493f2071398713
+SHA1 (patch-ac) = 755852732c57563792f2ef9ae693a75045d962e7
diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/files/preludecorrelator.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/files/preludecorrelator.sh    Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# $NetBSD: preludecorrelator.sh,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
+#
+
+# PROVIDE: preludecorrelator
+# REQUIRE: LOGIN
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="preludecorrelator"
+procname="@PREFIX@/bin/prelude-correlator"
+rcvar=${name}
+required_files="@PKG_SYSCONFDIR@/prelude-correlator/prelude-correlator.conf"
+start_precmd="correlator_precommand"
+start_cmd="@PREFIX@/sbin/run-prelude-correlator --pidfile @PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid --daemon"
+pidfile="@PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid"
+
+correlator_precommand()
+{
+       /bin/mkdir -p @PRELUDE_CORRELATOR_PID_DIR@
+       /usr/sbin/chown @PRELUDE_USER@:@PRELUDE_GROUP@ @PRELUDE_CORRELATOR_PID_DIR@
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff -r e2b2abe6bf24 -r 9f46c1221df5 security/prelude-correlator/files/run-prelude-correlator.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-correlator/files/run-prelude-correlator.c        Mon Jul 21 12:16:46 2008 +0000
@@ -0,0 +1,166 @@
+#define PRELUDE_CORRELATOR_USER "@PRELUDE_USER@"
+#define PRELUDE_CORRELATOR_PATH "@PREFIX@/bin/prelude-correlator"
+
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/wait.h>
+#include <pwd.h>
+#include <syslog.h>
+
+#define MAX_ARGS 40
+#ifndef         TRUE
+#define         TRUE                            1
+#endif                          /* TRUE */
+
+#ifndef         FALSE
+#define         FALSE                           0
+#endif                          /* FALSE */
+
+
+void error_sys(char *str)
+
+{
+    /* Output error message to syslog */
+    char msg[1024];
+    snprintf(msg, sizeof(msg), "run-prelude-correlator : %s : %s", str, strerror(errno));
+    syslog(LOG_ALERT, msg);
+
+}
+
+
+int obtainUIDandGID(const char *name, uid_t *pw_uid, gid_t *pw_gid)
+{
+    /* Obtain UID and GID from passwd entry identified by name */
+    struct passwd *pw_entry;
+    char msg[100];
+
+    if ((pw_entry = getpwnam(name)) == NULL)
+    {
+        snprintf(msg, sizeof(msg), "failed to get password entry for %s", name);
+        error_sys(msg);
+        return FALSE;
+    }
+    else
+    {
+        *pw_uid = pw_entry->pw_uid;
+        *pw_gid = pw_entry->pw_gid;
+        return TRUE;
+
+    }
+}
+
+
+int main (int argc, char **argv )
+
+{
+
+    pid_t pid;
+    uid_t UID;
+    gid_t GID;
+    pid_t pidwait;
+    int waitstat;
+    int s;
+    int max_fd;
+
+    /* Sanity check */
+    if (argc > MAX_ARGS)
+    {
+        error_sys("arg buffer too small");
+        exit(-1);
+    }
+
+    if (geteuid() != 0)
+    {
+        error_sys("must be called by root");
+        exit(-1);
+    }
+
+    /* fork child that will become prelude-correlator */
+    if ((pid = fork()) < 0)
+
+        error_sys("fork error");
+
+    else
+
+    {
+
+        if (pid == 0)
+
+        {
+
+            /* We're the child */
+            char *args[MAX_ARGS];
+            unsigned int i;
+
+            /* Become session leader */
+            setsid();
+
+            /* Change working directory to root directory.
+               The current working directory could be a mounted
+               filesystem; if the daemon stays on a mounted
+               filesystem it could prevent the filesystem from
+               being umounted. */
+            chdir("/");
+
+            /* Clear out file creation mask */
+            umask(0);
+
+            /* Close unneeded file descriptors */
+            max_fd = (int) sysconf(_SC_OPEN_MAX);
+            if (max_fd == -1)
+                max_fd = getdtablesize();
+            for (s = 3; s < max_fd; s++)
+                (void) close(s);
+
+            if (!obtainUIDandGID(PRELUDE_CORRELATOR_USER, &UID, &GID))
+                exit(-1);
+
+            /* Drop privileges immediately */
+            if (setgid(GID) < 0)
+            {
+                /* It is VERY important to check return
+                   value and not continue if setgid fails
+                */
+                error_sys ("setgid failed");
+                exit (-1);
+            }
+
+            if (setuid(UID) < 0)
+            {
+                /* It is VERY important to check return
+                   value and not continue if setuid fails
+                */
+                error_sys ("setuid failed");
+                exit (-1);
+            }
+
+            /* Build calling argv */
+            args[0] = PRELUDE_CORRELATOR_PATH;
+            for (i=1;i<argc;i++)
+            {
+                args[i] = argv[i];



Home | Main Index | Thread Index | Old Index