Change log for 6.4 Version 6.4 - 5 December 2009 - Added new software softflowd to capture netflow directly on sensor This software can be used with ManageEngine NetFlowAnalyzer to monitor the data. The server can be downloaded at http://www.manageengine.com/products/netflow/download.html - Added ssldump ver 0.9b3 to sensor. - Updated xplico to version 0.5.2 - Updated bind to version 9.4.3 P3 - Updated ntp to version 4.2.2 P3 - Upgraded Webmin to version 1.490 - Upgraded to Snort 2.8.5.1 - Upgraded to ntp 4.2.2p3 - Upgraded to bind 9.4.3_P4 Changelog for 7.0 Version 7.0 - 30 Dec 2009 - This version runs on Slackware 13. Version 6.4 i386 (32bit) will be updated in the future. Change log for 6.3 Version 6.3 - 18 March 2009 - Updated to glibc-zoneinfo 2.3.6 Noarch 11 - Updated to ntp 4.2.4p6 - Updated to openssl 0.9.8h rev 3 - Updated to openssl-solibs 0.9.8h rev 3 - Updated to Bind 9.3.6 P1 (only DNS tools in this package) - Updated tcpreplay suite to version 3.4 - Added base64 binary, xplico and mime.tk. These applications are used to carve email out of pcap files. - Removed Squert for lack of support and update. - Added a new script in /usr/local/snort called bothunter.sh to download the ruleset from SRI International - Added a new script to monitor the eth1 sancp daemon is running and restart it if not using /usr/local/sbin/chk-sancp.pl - Added Darkstat to monitor traffic statistics. Need to be enabled via /etc/rc.d/rc.local - Added strip down version of bind to do DNS resolution with sguil_pcap.sh script. - Added a new option to the sguil_pcap.sh script to summarize and resolve source and destination IP addresses and save them to a file. Script is located in /root. - Updated to snort 2.8.4 - Upgraded to Webmin 1.47 - Upgraded httpry 0.1.4 Version 6.2 - 5 August 2008 - Upgraded Sguil to version 0.7.0 - Removed start scripts from /etc/rc.d sensoragent_eth2 - Added new scripts in /etc/rc.d, sancp_agent_eth1, snort_agent_eth1, pads_agent_eth1 and pcap_agent_eth1 These scripts are used to control all the sensor agents function to connect to the database. - Added /etc/sguil directory with all the Sguil sensor configuration scripts - Added pads to system - Updated openssh 5.0p1, openssl-solibs 0.9.8h, glibc-zoneinf 2.3.6 and bzip2 1.0.5 - Upgraded oinkmaster and the rc.snortupdate script. EmergingThreats site rules enabled. Fixed rc.snortupdate script to generate sid-map from rules directory. - Upgraded to Webmin 1.410 - Removed from Webmin Snort IDS Admin eth3 and eth4 menus from Servers section. Removed from each "Snort IDS Admin eth?" the SID menu. No longer needed with the changed in the rc.snortupdate script. - Upgraded to Snort 2.8.2.2 - Updated /root/sguil_pcap.sh script to have a menu to return both pcap or text output logs when searching a full day of traffic in the /LOG packet logs. The script support searches for httpry, ngrep and tcpdump. - Added mergecap in the /usr/bin directory to be used with sguil_pcap.sh - Changed kernel to 2.6.21.5 with default supporting 4G and optional kernel that support up to 64G - Added a new tool called httpry to parse HTTP headers. - Update to OpenSSH 5.1p1, openssl-0.9.8h and vim-7.1.330 Version 6.1 - 2 January 2008 - Changed Bleeding Snort website in oinkmaster.conf to Emerging Threats - Updated Ntop to version 3.3.1 - Updated tcpdump to version 3.9.7 - Updated OpenSSH to version 4.7p1 - Updated ZoneInfo to version 2.3.6 - Updated snort to version 2.8.0.1 and updated the rule list to the current rulesets. - Upgraded to Webmin 1.360 - Added sguert support in the ISO. This can be installed separatly by mounting the CD and cd to squert directory and running pkgtool on the current directory and installing all the files. Access via web browser as http://system to view the Sguil data. Version 6.0 - 25 March 2007 - This is the sixth major release of Shadow IDS Powered by Slackware. This version is based on Slackware 11.0 and Linux kernel 2.6.18 with all the lastest packages. The default kernel is for all PCs (SCIS and IDE) and includes SMP support. - Added support for USB drives - Upgraded to MySQL version 5.0.33. - Upgraded Snort to version 2.6.1.3 - Upgraded to Oinkmaster 2.0 - Upgraded p0f to 2.0.8 - Upgraded to Webmin 1.330 - Added a Webmin button in the Servers section for NIC bond0 support for Snort. Activate the cards in /etc/rc.d/rc.local - Upgraded DST zoneinfo file to version 2.3.6 - Upgraded slackupdate.sh to version 0.7.1 - Added ntop Network Top monitoring tool. To enable, edit the /etc/rc.d/rc.local script and enable at booting. For additional information on installation and configuration of the various features of the system, please refer to the Shadow_IDS_installation_6.0.pdf file. Version 5.4 - 16 April 2006 - Upgraded to Sguil version 0.6.1 all the system components. This version now include built-in SSL encryption between the sensor(s) and the database. Follow the install.pdf to setup encryption between the database and the sensors. - Added in the Webmin server section two new section: Sguil Reports and TCP Wrappers configuration utility. The Sguil Reports are done daily from /etc/sguild/incident_report.tcl and dumped in /usr/local/webmin/reports/Sguil_Reports. - Added in the Webmin server section two new options: Sguil Server Controls and Sguil Sensor Controls used to configure sensor and server components. These two sections are used to edit config files and restart some of the Sguil services. - Modified the Shadow fetchem.pl script to provide hourly reports in Webmin under Server Sguil Reports. To configure this additional capability on each sensors, see the install.pdf document to enable this feature and the ShadowFilters.pdf document to understand how to correctly configure the filters. The reports are dumped in /usr/local/webmin/reports/Shadow/external (eth1) and internal (eth2). - Patch Barnyard with the Sguil TCL patch to use the new Sguil functionality - Added a shell script to search through the Sguil pcap log files at the command line. The script is located in the /root account and is called sguil_pcap.sh. Just run it and fill in the blanks. - Upgraded wget to version 1.10.2. - Upgraded mysqltcl to version 3.02. - Upgraded OpenSSH from version 3.9p1 to 4.3p1 - Upgraded Webmin to version 1.270 - Upgraded Snort to 2.4.4 because of security issues. Version 5.3 - 18 October 2005 - Upgraded Snort to 2.4.3 because of a BO preprocessor vulnerability. Version 5.2 - 3 October 2005 - Upgraded MySQL to version 4.1.13 which fixes numerous bugs. - Upgraded ngrep to version 1.43. - Upgraded package util-linux. - Upgraded Webmin to version 1.230 - Added numerous Webmin management scripts under the Others/Custom Commands section to assist with the management of the database server and the sensor. - Upgraded tcpdump to version 3.9.3 due to a security issue with version 3.8.3. - Upgraded Snort to version 2.4.2. You should check out the release notes at http://www.snort.org/docs/release_notes/release_notes_240.txt that details several changes including frag3 preprocessor. Added support for Phil Woods' MMAPed pcap which is built in directly in Snort. Additional information available on MMAPed pcap at http://public.lanl.gov/cpw/ - Minor update to the TCP/IP package - Minor update to OpenSSL and OpenSSL libraries to 0.9.7e rev 4. - Included the convert_time binary in /root to convert compute epoch time to regular computer time. - Included in /etc/rc.d/rc.local NIC bonding startup scripts for those who would like to use IDS TAPS including ifenslave in /sbin - Added several scripts in Webmin under Others and Custom Commands. The commands are used for manage the database and Snort. Version 5.1 - 1 May 2005 - Upgraded Webmin to version 1.200. Made modification for Webmin to see rules that are looking in both directions such as "alert any any <> any 80". Added severy commands under the Custom Commands to manipulate Sguil files and restart the daemon including testing Snort rules and restarting the Snort services. - Upgraded Snort to version 2.3.3. - Added information on how to subscribe and configure oinkmaster to download the VRT Snort Certified Rules updates. - Enabled in the Snort configurations file the threshold.conf file. - Added a new Snort Webmin button to edit and configure the Snort threshold configuration file. This file contains several examples of events that can be auto-configured. - Added a new Sguil button for the Sguil autocat.conf file under the Webmin custom commands tab. - Added a new script to control the MySQL database called /etc/rc.d/rc.mysqld. - Upgraded the /etc/rc.d/rc.K script to ensure it kills al the services associated with Sguil including MySQL shutdown. - Upgraded p0f to version 2.0.5. - Added a script in /root/scripts to optimize the Sguil database daily. Need to add the MySQL root password in the script by the admin for this to function properly. Version 5.0 - 15 February 2005 - This is the fifth major release of Shadow IDS Powered by Slackware. This version is based on Slackware 10.1 and Linux kernel 2.4.29 with all the lastest packages. - Included lastest slackupdate.sh script to help monitor package updates for Slackware 10.1. - Added Webmin Snort management for oinkmaster.conf and the local-sid.map file. - Created a new Snort script used by Snort Webmin to stop and start Snort and Barnyard as well as parse an updated master Snort sid.map used by Barnyard. - Upgraded Webmin to version 1.180. - Upgraded Snort to version 2.3.0. - Upgraded Ngrep to 1.42 - Changed Sguil/Snort scripts to monitor interface eth1 and eth2 instead of eth0. All the scripts to enable eth2 are commented out in the /etc/rc.d/rc.local scripts and only require to be uncommented to start them. You also need to edit the root crontab to activate eth2 logging. - There are three separate package for Sguil: sguil containing all of the components to run Sguil on a single box, sensguil use to install the sensor components only and sguildb to install the database components only. If deploying multiple sensors to report to a single database, use sensguil for the sensors and sguildb for the database. - Dropped support for ACID which has been replaced by Sguil. version 4.6 - 21 November 2004 - This release has a new package to use the Sguil console (http://sguil.sourceforge.net) instead of ACID. In order to access the database, you will need to download the sguil client available on the Sourceforge website. You have a choice of installing ACID or Sguil. Sguil has two package sensguil for sensor only installation and sguil if installing the database and the sensor on the same system. Set the sguil.pdf document for installation and configuration of both the sensor and the Window client. Both packages have their own directory on the install CD. The Sguil package contains the same MySQL database as ACID including the same tables. - New with this release is a document called stunnel.pdf to configure a database and the sensors to encrypt the data via SSL. The examples are based on encrypting data using the Sguil daemon and MySQL. - Updated MySQL database to 4.0.22. - Added a new package called sguil. This package contains several binaries associated with the Sguil data management console. The following binaries are included: p0f, tcpflow, sancp. - Updated Apache to 1.3.33 due to a buffer overflow affecting mod_include and mod_proxy. - Updated mod_ssl to mod_ssl-2.8.22-1.3.33 to fix the SSL security issues. version 4.5 - 15 September 2004 - Added Webmin package to manage entire sensor from a web browser. Webmin runs its own web server and does not require Apache. Webmin is started from /etc/rc.d/rc.local. Webmin default username and password are admin and admin. Webmin uses SSL encrytion and is access like https://sensor:10000. See install.pdf document on how to change the defaul password. - Reorganized the install.pdf document in two sections. The first section is the install section and the second is background information on the sensor setup. - Added the "restart" command in the /etc/rc.d/rc.snort script. - Added an /etc/rc.d/rc.barnyard script to control the barnyard service. - Changed the default output by Snort to log_unified format to use Barnyard as the backend processor. The unified logs are saved in /usr/local/snort/log/eth*. Barnyard process those logs and save them in pcap format in /usr/local/barnyard/log/eth*. - Added a new ACID backup database table. This table is called snortarchive and events can be archived using the ACID action menu. This additional table will permit long term data analysis. - Added access control to Apache. You now require a valid user account in order to access ACID. See install.pdf for the instructions to change default password and add new accounts. The default account is cyber and the password is admin. - Removed support for PCMCIA card. - Configured SHADOW to run a console on the sensor if configured according to the setup supplied in the install.pdf document. - Automated daily updates of the Bleeding Edge rules each day using Oinkmaster. The 3 files are located in the /usr/local/snort/rules directory. - Added the stunnel package to provide encryption to securely tunnel Snort data to MySQL over an unsecured network. Version 4.4 - 12 August 2004 - Updated Snort to 2.2.0 - Updated Oinkmaster to 1.0 - Updated various components of the ACID package - Updated jpgraph to version 1.16 - Updated adobd to version 4.52 - Updated php to 4.3.8 - Added the Bleeding Edge Malware rules in the etc/ directory. The rule file is called bleeding_edge.rules and it has been added in each configuration files (ext and int). Version 4.3 - 6 June 2004 - This version contains the OpenSSL patch for a possible denial of service attack. - The ACID/MySql package has been recompiled with the updated version of OpenSSL. - Updated tcpdump package to 3.8.3 because of a security advisory stating tcpdump was vulnerable to a Denial of Service (DoS). Refer to CVE CAN-2004-0183 and CAN-2004-0184. - Update the kernel to 2.4.26 because of a security advisory stating an overflow in ip_setsockopt() which could lead to root access or crash the box. CVE CAN-2004-0394 and CAN-2004-0424. - Updated Snort to 2.1.3. - Updated the sysklogd package because it can allow to write to unallocated memory and crash. - Updated bin package to fix a buffer overflows and directory traversal vulnerabilities in the 'lha' archive utility. CVE CAN-2004-0234 and CAN-2004-0235. - Updated the slackupdate.sh script to version 0.6.2. - Added the 4 sites included in the slackupdate.sh script into the sensor firewall. With this addition, it no longer the iptables firewall to be dropped. - Fixed an issue with the manpages by adding the bzip2 package to the distribution. - Upgraded Apache to 1.31 to fix a vulnerability in ACID package to acid-1.3. Version 4.2 - 26 February 2004 - This update contains a a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. - Snort was upgrade to version 2.1.1. - Fix the oinkmaster script to reflect the new snort download directory. - A new PDF file has been added in this section to build an ACID database server on Windows 2000 Server. The document has been supplied by Mark Rupright. The document is called Win2k_Acid_Database.pdf Version 4.1 - 16 January 2004 - This version contains a kernel bug fix. The kernel is now 2.4.24. - This version contains a Snort upgrade to version 2.1.0. - Added to the root crontab the default Slackware logrotate scripts. All of the default scripts are located in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly. - Minor fix in the default /etc/rc.d/rc.firewall script. Version 4.0 - 8 December 2003 - This is the fourth major release of Shadow IDS Powered by Slackware. This version is based on Slackware 9.1 and Linux kernel 2.4.23 with all the lastest packages. - This release contains the final release of Snort version 2.0.5 - Included lastest slackupdate.sh script to help monitor package updates for Slackware 9.1. Version 3.2 - 1 October 2003 - This minor update contains some minor Snort startup script updates to optimize the sensor. The sensor will now save the data files in BPF format vs. text format to optimize the sensor. The filename are log_Sep252003.(snort generated number) - Patch update for openssh and openssl vulnerabilities - Minor upgrade of Snort to version 2.0.2 including Jeff Nathan's new flexible response version 2 - Added lsof for those who would like to use this feature - Snort has been correctly compiled to work with mysql database. A set of installation instructions is included in the release note section to install ACID on Slackware. - A precompiled Apache/ACID/Mysql package is available to install on the sensor for those who wish to use it. It located on in the /acid directory on the install CD. Follow the installation procedures on the install.pdf - For those who wants to build their own ACID/Mysql/Apache server to receive Snort events can follow the acid_mysql.pdf installation document located in the rel_note directory. Version 3.1 - 17 August 2003 - This minor update contains operating system updates as well as a new startup script for Snort. - The new Snort startup script is build to configure Snort to run on multiple interfaces. It uses an original script provided by GJ Hagenaars which has been adapted to run on this sensor. Thank GJ. - Snort runs in a charooted jail by default as user snort under group snort after it has been started. - Updated to Snort 2.0.1 - New Linux kernel 2.4.21 - Shadow has been updated to version 1.8 of NSWC's latest release. The Shadow sensor saves all the tcpdump files under user shadow and must be changed in order to use the account (passwd shadow). The account is locked by default. - All the current Slackware Security Updates are included. - Included slackupdate.sh script to help monitor package updates. The script is located in the /root directory and saves the downloaded files in the /tmp/slackupdate directory. Follow the instructions in the install.pdf files to upgrade packages. Version 3.0 - 23 April 2003 - This is the third major release of Shadow IDS Powered by Slackware. This version is based on Slackware 9.0.0 and Linux kernel 2.4.20 with all the lastest packages. - This release contains the final release of Snort version 2.0.0 - This release contains a minor fix for the script in /root/ngrep_pat_search.pl which fixes a minor issue with the combination of pattern search and BPF filters. - The oinkmaster package has been updated to version 0.7. Version 2.4 - 5 March 2003 - This version contains the addition of Network Grep (Ngrep) which can be used in standalone mode or combine with the Shadow logs. If used with the Shadow logs, a script has been added in /root/ngrep_pat_search.pl to look for strings, HEX data or keywords using the Shadow logs as source data as long as the snaplen is long enough. - This is a minor upgrade to upgrade tcpdump version 3.7.1 to 3.7.2 to patch a security flaw in the isakmp parser. See iDEFENSE security advisory. - It also includes a minor upgrade on Snort 1.9.0 because of a rpc preprocessor buffer overflow discovered by X-Force. See X-Force Advisory Version 2.3 - 9 October 2002 - This is a minor upgrade to upgrade Snort to version 1.9.0 released on the 3 October 2002. Version 2.2 - 22 August 2002 - This is a minor upgraded to combine the installation of Shadow and Snort in one image. This installation still offers the possibility to remove either Snort or Shadow, or run both on the same sensor for wider coverage. In order to make snort more flexible and efficient, I have included oinkmaster by Andreas Östling to provide Snort with auto-signature updates for those who want to use this feature. Version 2.1 - 3 August 2002 - This is a minor upgraded to correct some vulnerabilities in the following packages - glibc-solibs - openssh-3.4p1 - openssl-0.9.6e - openssl-solibs-0.9.6e Version 2.0 - 14 July 2002 - This is the second major release of Shadow IDS Powered by Slackware. This version is based on Linux kernel 2.4.18 and contains all the lastest packages. Version 1.8 - 19 June 2002 - This version now includes a script that checks if OpenSSH is running. The script runs on a cronjob every 5 minutes and check the processes for sshd. - It also contains an updated /root/shadow_save script that is no longer bound to a specific year. The time variable now account for the year. Version 1.7 - 16 Apr 2002 - This a minor upgrade fixing file permissions in the /etc directory for those who wish to use two NIC and additional accounts. Version 1.6 - 23 Mar 2002 - This is a minor upgrade for OpenSSH, OpenSSL, GlibC and Zoneinfo packages. These minor upgrades take into account the recent vulnerabilities for OpenSSH and GlibC. Version 1.5 - 1 Oct 2001 - This is a minor upgrade to Shadow software version 1.7 released in Sep 2001 by NSWC. The underligning OS has not changed. - This package also contains the recommended patch by NSWC for tcpdump version 3.6.2 on the SMB/NetBIOS translater and decoding UDP packets on ports 1645-46 and 1812-13. Version 1.0 - 30 July 2001 - This is a full upgrade based on Slackware 8.0.0 release. This version is powered by the 2.2.19 Linux kernel. Version 0.5 - 30 Apr 2001 - This is the first public release of the beta instalation of Shadow IDS based on the Slackware 7.1 release. - It is powered by Slackware Linux version 7.1 with all the security patches up to date at the time of this release.