#!/usr/bin/bash clear CHECK=1 MYDATE=(`date +%s`) echo "" echo " ########################################################################" echo " ########################################################################" echo " ## ##" echo " ## SHADOW NEAR REAL TIME - Installation Script v 0.1 ##" echo " ## ##" echo " ## This is an installation script that will modify system settings ##" echo " ## and configure Shadow IDS to send logs in Near Real Time to another ##" echo " ## loghost via syslog (UDP port 514). ##" echo " ## ##" echo " ## Written by Jamie French - Oct 2003 ####################" echo " ## ####################" echo " ## ##" echo " ## http://www.whitehats.ca/main/members/Malik/malik_shadow_nrt/malik_shadow_nrt.html ##" echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/install_shadow_nrt.sh ##" echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/sensor_scripts.tgz ##" echo " ## ##" echo " ## Released under the GNU GPL - http://www.gnu.org/copyleft/gpl.html ############" echo " ## ############" echo " ## ##" echo " ## This program is free software; you can redistribute it and/or ##" echo " ## modify it under the terms of the GNU General Public License ##" echo " ## as published by the Free Software Foundation; either version 2 ##" echo " ## of the License, or (at your option) any later version. ##" echo " ## ##" echo " ## This program is distributed in the hope that it will be useful, ##" echo " ## but WITHOUT ANY WARRANTY; without even the implied warranty of ##" echo " ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ##" echo " ## GNU General Public License for more details. ##" echo " ## ##" echo " ################################################################################" echo " ################################################################################" echo "" sleep 1 echo "We're shutting down Shadow..." /usr/local/SHADOW/sensor/stop_logger.pl gmt 2>/dev/null echo "" clear echo " Do you want to install Shadow Singular or Parallel (S/P)?" echo "" echo " Singular - Start up Shadow IDS to log in its traditional format and send copies" echo " of all these logs to the third party logging and correlation machine." echo "" echo " Parallel - Start another incarnation of Shadow in parallel with the traditional " echo " Shadow IDS. The parallel Shadow will only send packets of interest to" echo " the third party logging and correlation machine." echo "" echo -n "(S)ingular or (P)arallel: "; read WHICH_SHADOW_NRT echo "" if [ $WHICH_SHADOW_NRT != "S" ]; then TEST1=0 elif [ $WHICH_SHADOW_NRT != "P" ]; then TEST1=0 else echo " You did not enter a 'S' or a 'P' to choose the mode to install. Restart the script..." exit 1 fi KERNEL_VER=(`uname -a | awk '{print $3}'`) MOD_PATH="/lib/modules/$KERNEL_VER/kernel/drivers/net" DATE=(`date +%s`) COUNTER=1 ETH1_EXISTS2=(`ifconfig -a | grep eth1`) if [ -n "$ETH1_EXISTS2" ]; then echo "Driver for eth1 is already loaded" else echo " You do not have a driver loaded for eth1!" echo -n " Would you like to do a more thorough probe (Y/N): "; read PROBE if [ $PROBE == "Y" ]; then for foo in /lib/modules/$KERNEL_VER/kernel/drivers/net/*.o.gz do MYBASE=(`basename $foo .o.gz`) echo -en "\033[7;44m\033[1;33m$COUNTER\033[3D"; echo -en "\033[0m"; COUNTER=$(($COUNTER + 1)) /sbin/modprobe -q $MYBASE 2>1 ping -c 2 127.0.0.1 > /dev/null 2>1& ETH1_EXISTS=(`ifconfig -a | grep eth1`) if [ $CHECK == 1 ]; then if [ -z "$ETH1_EXISTS" ]; then echo -en "\033[0m"; CHECK=1 else echo -e "Interface ETH1 driver is \033[7;44m\033[0;33m$foo\033[0m"; echo "Modifying /etc/rc.d/rc.modules to load at boot" cp /etc/rc.d/rc.modules /etc/rc.d/rc.modules_$DATE cat /etc/rc.d/rc.modules | sed 's/#\/sbin\/modprobe '$MYBASE'/\/sbin\/modprobe '$MYBASE'/' > /etc/rc.d/rc.modules.bak mv /etc/rc.d/rc.modules.bak /etc/rc.d/rc.modules chmod 755 /etc/rc.d/rc.modules CHECK=0 fi fi done fi fi echo -n " What is the hostname of the central log host you want to write to: "; read LOGHOST echo "" LOGHOST_EXISTS=`(cat /etc/hosts | grep $LOGHOST)` if [ -z "$LOGHOST_EXISTS" ] ; then # echo "LOGHOST_EXISTS is zero length" LOGHOST_EXISTS=1 echo " Your central log host is not in your /etc/hosts file. We will add it now." echo "" echo -n " Enter the IP address of your log host: "; read LOGHOST_IP echo "" cp /etc/hosts /etc/hosts_shadow_nrt echo "$LOGHOST_IP $LOGHOST" >> /etc/hosts else LOGHOST_IP=(`cat /etc/hosts | grep $LOGHOST | awk '{print $1}'`) fi LOGHOST_SYSLOG=`(cat /etc/syslog.conf | grep $LOGHOST)` if [ -z "$LOGHOST_SYSLOG" ]; then # echo "LOGHOST_SYSLOG is zero length" echo " Your central log host is not configured in your /etc/syslog.conf file. We will add it now." echo "" echo "local2.debug @$LOGHOST" >> /etc/syslog.conf fi LOGHOST_SYSLOG_R=`(cat /etc/rc.d/rc.syslog | grep "/usr/sbin/syslogd -r")` if [ -z "$LOGHOST_SYSLOG_R" ]; then # echo "LOGHOST_SYSLOG_R is zero length" echo " Your syslog daemon is not configured to send logs to a remote central log host. We will configure this now." echo "" cp /etc/rc.d/rc.syslog /etc/rc.d/rc.syslog_shadow_nrt echo " A backup of the original config was copied to /etc/rc.d/rc.syslog_shadow_nrt" echo "" cat /etc/rc.d/rc.syslog | sed 's/ \/usr\/sbin\/syslogd/ \/usr\/sbin\/syslogd -r/g' > /etc/rc.d/rc.syslog_tmp mv /etc/rc.d/rc.syslog_tmp /etc/rc.d/rc.syslog chmod 744 /etc/rc.d/rc.syslog fi LOGHOST_SYSLOG_R_INET2=`(cat /etc/rc.d/rc.inet2 | grep "/usr/sbin/syslogd -r")` if [ -z "$LOGHOST_SYSLOG_R_INET2" ]; then # echo "LOGHOST_SYSLOG_R_INET2 is zero length" echo " Your syslog daemon is not configured to send logs to a remote central log host at system startup. We will configure this now." echo "" cp /etc/rc.d/rc.inet2 /etc/rc.d/rc.inet2_shadow_nrt echo " A backup of the original config was copied to /etc/rc.d/rc.inet2_shadow_nrt" echo "" cat /etc/rc.d/rc.inet2 | sed 's/ \/usr\/sbin\/syslogd/ \/usr\/sbin\/syslogd -r/' > /etc/rc.d/rc.inet2_tmp mv /etc/rc.d/rc.inet2_tmp /etc/rc.d/rc.inet2 fi MYIP=(`cat /etc/rc.d/rc.inet1.conf | grep "IPADDR\[0\]" | awk -F= '{print $2}' | sed 's/"//g'`) # Which version of FW are we working with? FW_VERSION1=`(grep "# Version" /etc/rc.d/rc.firewall)` FW_VERSION=`(echo $FW_VERSION1 | sed 's/[a-zA-Z #]\{1,15\}//')` echo " Firewall Version in use is $FW_VERSION" echo -e " Firewall configuration file is \033[7;44m\033[1;33m/etc/rc.d/rc.firewall\033[0m"; echo "" echo " A backup of the original rc.firewall config was copied to /etc/rc.d/rc.firewall_shadow_nrt" echo "" if [ $FW_VERSION == "1.0" ]; then echo " We have NOT fully tested version 1.0 modifications yet..." echo " You should manually confirm your firewall config afterwards." echo "" cat /etc/rc.d/rc.firewall | sed 's/This sensor.s IP address/# Central log servers address\ \ '$LOGHOST'="'$LOGHOST_IP'"\ \ # This sensors IP address\ MYIP="192.168.30.20"/' > /etc/rc.d/rc.firewall cp /tmp/test.txt /tmp/mytest.txt echo "" >> /etc/rc.d/rc.firewall echo "# OUTPUT Table Rules" >> /etc/rc.d/rc.firewall echo "# Allow outbound UDP syslog to central log host" >> /etc/rc.d/rc.firewall echo "iptables -A OUTPUT -s \$MYIP -p udp -destination \$$LOGHOST --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall echo " Watch out - default FW rules for INPUT, OUTPUT, FORWARD are ACCEPT!" echo "" elif [ $FW_VERSION == "1.1" ]; then cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_bak_$MYDATE echo " We have NOT fully tested version 1.1 modifications yet..." echo " You should manually confirm your firewall config afterwards." echo "" cat /etc/rc.d/rc.firewall | grep -v "Accept time update" | grep -v "TIMESERVER -p udp" | grep -v "MYDNS -p udp" | grep -v "\--dport 514 -j ACCEPT" | grep -v "DNS traffic, send syslog" > /etc/rc.d/rc.firewall2 sed 's/MYIP=.*/MYIP='$MYIP'/' /etc/rc.d/rc.firewall2 > /etc/rc.d/rc.firewall echo "" >> /etc/rc.d/rc.firewall echo "# Accept time update, DNS traffic, send syslog" >> /etc/rc.d/rc.firewall echo "" >> /etc/rc.d/rc.firewall echo "iptables -A INPUT -i eth0 -s \$TIMESERVER -p udp --dport 123 -j ACCEPT" >> /etc/rc.d/rc.firewall echo "iptables -A OUTPUT -p udp -s \$MYIP -d $LOGHOST_IP --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall echo "iptables -A INPUT -i eth0 -s \$MYDNS -p udp --sport 53 -j ACCEPT" >> /etc/rc.d/rc.firewall else echo " Firewall version is pre 1.0..." echo "" LOGHOST_FW=`(cat /etc/rc.d/rc.firewall | grep $LOGHOST_IP)` if [ -z "$LOGHOST_FW" ]; then # echo "LOGHOST_FW is zero length" echo " Your IPCHAINS Firewall is not configured to allow logs to be forwarded to the central log host. We will configure this now." echo "" cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_shadow_nrt echo " A backup of the original config was copied to /etc/rc.d/rc.firewall_shadow_nrt" echo "" cat /etc/rc.d/rc.firewall | sed 's/LOOPBACK="127.0.0.0\/8" # reserved loopback address range/'$LOGHOST'="1.2.3.4\/32" # central log host\ \ LOOPBACK="127.0.0.0\/8" # reserved loopback address range\ /' > /etc/rc.d/rc.firewall_3 cat /etc/rc.d/rc.firewall_3 | sed 's/ # NTP TIME clients (123)/ # SYSLOG (514)\ # ----------------------\ ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514 -d $'$LOGHOST' -j ACCEPT \ \ # ------------------------------------------------------------------\ # NTP TIME clients (123)/' > /etc/rc.d/rc.firewall rm /etc/rc.d/rc.firewall_3 fi fi echo " We are making a backup of the current Shadow PERL scripts in the /usr/local/SHADOW/sensor directory." echo "" cp /usr/local/SHADOW/sensor/start_logger.pl /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl echo " Copied /usr/local/SHADOW/sensor/start_logger.pl to /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl" cp /usr/local/SHADOW/sensor/stop_logger.pl /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl echo " Copied /usr/local/SHADOW/sensor/stop_logger.pl to /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl" cp /usr/local/SHADOW/sensor/sensor_driver.pl /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl echo " Copied /usr/local/SHADOW/sensor/sensor_driver.pl to /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl" cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt echo " Copied /usr/local/SHADOW/sensor/gmt.filter to /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt" echo "" echo " Creating our custom Shadow PERL scripts..." echo "" SENSOR_SCRIPT_PATH=`(ls -l | grep sensor_scripts.tgz)` if [ -z "$SENSOR_SCRIPT_PATH" ]; then echo " We could not find the sensor_scripts.tgz file. We need this. Searching..." echo "" SENSOR_SCRIPT_PATH2=`(find / -name sensor_scripts.tgz)` # echo "SENSOR_SCRIPT_PATH2 is eq $SENSOR_SCRIPT_PATH2" declare -a array1 array1=( `echo $SENSOR_SCRIPT_PATH2 | tr '\n' ' ' | awk '{print $1}'`) SENSOR_SCRIPT_PATH2=${array1[0]} # echo "SENSOR_SCRIPT_PATH2 array is eq $SENSOR_SCRIPT_PATH2" if [ -z $SENSOR_SCRIPT_PATH2 ]; then echo " You need to copy the the sensor_scripts.tgz file to your system and restart the installation. We are exiting now..." exit 1 else echo -n " Do you want to use this sensor_scripts.tgz file? $SENSOR_SCRIPT_PATH2 (Y/N): "; read SENSOR_PATH_YES echo "" fi if [ $SENSOR_PATH_YES == "Y" ]; then tar xvfz $SENSOR_SCRIPT_PATH2 -C / echo "" TEST=1 else echo " You didn't enter a 'Y' - we are exiting..." exit 1 fi fi if [ "$TEST" != 1 ]; then tar xvfz ./sensor_scripts.tgz -C / echo "" fi #START_LOGGER_S=`(find / -name start_logger_singular.pl)` #STOP_LOGGER_S=`(find / -name stop_logger_singular.pl)` #SENSOR_DRIVER_S=`(find / -name sensor_driver_singular.pl)` #START_LOGGER_P=`(find / -name start_logger_parallel.pl)` #STOP_LOGGER_P=`(find / -name stop_logger_parallel.pl)` #SENSOR_DRIVER_P=`(find / -name sensor_driver_parallel.pl)` #echo "START_LOGGER_S is $START_LOGGER_S" #echo "STOP_LOGGER_S is $STOP_LOGGER_S" #echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S" #echo "START_LOGGER_S is $START_LOGGER_S" #echo "STOP_LOGGER_S is $STOP_LOGGER_S" #echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S" grep -v "/usr/local/SHADOW/sensor/sensor_driver" /var/spool/cron/crontabs/root > /var/spool/cron/crontabs/crontab_root cat /dev/null > /tmp/rc.local_tmp if [ $WHICH_SHADOW_NRT == "S" ]; then echo " You need to edit your /usr/local/SHADOW/sensor/singular.filter file involked with Shadow Singular" echo " We've copied your gmt.filter to singular.filter for a base to edit..." echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created..."; cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/singular.filter echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver_singular.pl gmt&" >> /var/spool/cron/crontabs/crontab_root echo " We have modified cron to start Shadow IDS in SINGULAR mode." echo "" mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root #echo "$CHECK is CHECK" # if [ "$CHECK" == 0 ]; then # echo "/sbin/ifconfig eth1 up" > /tmp/rc.local_tmp # fi cp /etc/rc.d/rc.local /etc/rc.d/rc.local_shadow_nrt_bak grep -v "start_logger" /etc/rc.d/rc.local >> /tmp/rc.local_tmp sed 's/rc.firewall/rc.firewall\ \ echo "Starting Shadow Singular..."\ \/usr\/local\/SHADOW\/sensor\/start_logger_singular.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local chmod u+x /etc/rc.d/rc.local chmod u+x /etc/rc.d/rc.local elif [ $WHICH_SHADOW_NRT == "P" ]; then echo " You need to edit your /usr/local/SHADOW/sensor/parallel.filter file involked with Shadow Parallel" echo " We've copied your gmt.filter to parallel.filter for a base to edit..." echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created..."; cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/parallel.filter echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver.pl gmt&" >> /var/spool/cron/crontabs/crontab_root echo " We have modified cron to start Shadow IDS in PARALLEL mode." echo "" mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root grep -v "sensor_driver" /etc/rc.d/rc.local > /etc/rc.d/rc.local_tmp sed 's/rc.firewall/rc.firewall\ \ echo "Starting Shadow Parallel..."\ \/usr\/local\/SHADOW\/sensor\/start_logger_parallel.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local chmod u+x /etc/rc.d/rc.local else echo " We are not sure which mode you want to use. The WHICH_SHADOW_NRT variable was not an 'S' or a 'P'. We are exiting." exit 1 fi LILO_CONFIG=(`cat /etc/lilo.conf | grep "timeout = 1200" | awk '{print $3}'`) if [ "$LILO_CONFIG" == 1200 ]; then echo " Looks like you're /etc/lilo.conf could use some tweaking to improve your" echo " boot timeout and possibly your video modes. Edit the file manually." echo "" fi echo " Congratulations. Installation is complete. Reboot your sensor for the changes to take affect." echo " DONE!" exit 0 # tar cvfzP sensor_scripts.tgz /usr/local/SHADOW/sensor/singular.filter /usr/local/SHADOW/sensor/parallel.filter /usr/local/SHADOW/sensor/sensor_driver_singular.pl /usr/local/SHADOW/sensor/sensor_driver_parallel.pl /usr/local/SHADOW/sensor/start_logger_singular.pl /usr/local/SHADOW/sensor/stop_logger_singular.pl /usr/local/SHADOW/sensor/start_logger_parallel.pl /usr/local/SHADOW/sensor/stop_logger_parallel.pl