From ceb90dda6ed16f2640fb7f54a66633d9463e5529 Mon Sep 17 00:00:00 2001 From: Boris V Date: Mon, 30 Jan 2017 19:06:04 +0700 Subject: network/psad: Added (Intrusion Detection and Log Analysis). Signed-off-by: Willy Sudiarto Raharjo --- network/psad/README | 27 ++++++++++ network/psad/doinst.sh | 35 ++++++++++++ network/psad/psad.SlackBuild | 126 +++++++++++++++++++++++++++++++++++++++++++ network/psad/psad.info | 10 ++++ network/psad/slack-desc | 19 +++++++ 5 files changed, 217 insertions(+) create mode 100644 network/psad/README create mode 100644 network/psad/doinst.sh create mode 100644 network/psad/psad.SlackBuild create mode 100644 network/psad/psad.info create mode 100644 network/psad/slack-desc (limited to 'network') diff --git a/network/psad/README b/network/psad/README new file mode 100644 index 0000000000..524336af61 --- /dev/null +++ b/network/psad/README @@ -0,0 +1,27 @@ +psad (Intrusion Detection and Log Analysis with iptables) + +psad is a collection of three lightweight system daemons (two main +daemons and one helper daemon) that run on Linux machines and analyze +iptables log messages to detect port scans and other suspicious traffic. +A typical deployment is to run psad on the iptables firewall where it has +the fastest access to log data. + +You can set email for alerts by setting ALERTSEMAIL: + +ALERTSEMAIL=alerts@example.com ./psad.SlackBuild + +You need at least these rules: + +iptables -A INPUT -j LOG +iptables -A FORWARD -j LOG + +but more usefull will be something like this: + +iptables -A INPUT -i lo -j ACCEPT +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A INPUT -p tcp --dport 80 -j ACCEPT +iptables -A INPUT -j LOG +iptables -A INPUT -j DROP + +please see documentation for more information. diff --git a/network/psad/doinst.sh b/network/psad/doinst.sh new file mode 100644 index 0000000000..740c9470bc --- /dev/null +++ b/network/psad/doinst.sh @@ -0,0 +1,35 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.psad.new +config etc/psad/auto_dl.new +config etc/psad/icmp6_types.new +config etc/psad/icmp_types.new +config etc/psad/ip_options.new +config etc/psad/pf.os.new +config etc/psad/posf.new +config etc/psad/protocols.new +config etc/psad/psad.conf.new +config etc/psad/signatures.new +config etc/psad/snort_rule_dl.new diff --git a/network/psad/psad.SlackBuild b/network/psad/psad.SlackBuild new file mode 100644 index 0000000000..d60dcdf5a7 --- /dev/null +++ b/network/psad/psad.SlackBuild @@ -0,0 +1,126 @@ +#!/bin/sh + +# Slackware build script for psad + +# Copyright 2017 Boris V. +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=psad +VERSION=${VERSION:-2.4.3} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +ALERTSEMAIL=${ALERTSEMAIL:-root@localhost} + +SRCNAM="$(printf $PRGNAM | cut -d- -f2-)" + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $SRCNAM-$VERSION +tar xvf $CWD/$SRCNAM-$VERSION.tar.bz2 +mkdir -p $PKG/etc/rc.d +mkdir -p $PKG/usr/bin +cd $SRCNAM-$VERSION +chown -R root:root . +cat > install.answers < $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/doinst.sh > $PKG/install/doinst.sh +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/psad/psad.info b/network/psad/psad.info new file mode 100644 index 0000000000..f9f1912075 --- /dev/null +++ b/network/psad/psad.info @@ -0,0 +1,10 @@ +PRGNAM="psad" +VERSION="2.4.3" +HOMEPAGE="http://www.cipherdyne.org/psad/" +DOWNLOAD="http://www.cipherdyne.org/psad/download/psad-2.4.3.tar.bz2" +MD5SUM="a0e51465ec662b4725a7018a9d2cda61" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="" +MAINTAINER="Boris V." +EMAIL="david.cla2@gmail.com" diff --git a/network/psad/slack-desc b/network/psad/slack-desc new file mode 100644 index 0000000000..ce95b9bb64 --- /dev/null +++ b/network/psad/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +psad: psad (Intrusion Detection and Log Analysis with iptables) +psad: +psad: psad is a collection of three lightweight system daemons (two main +psad: daemons and one helper daemon) that run on Linux machines and analyze +psad: iptables log messages to detect port scans and other suspicious +psad: traffic. +psad: A typical deployment is to run psad on the iptables firewall where +pas: it has the fastest access to log data. +psad: +psad: Homepage: http://www.cipherdyne.org/psad/ +psad: -- cgit v1.2.3