Shadow Near Real Time v0.1 (ALPHA) - Forwarding Mod

malik@whitehats.ca

Background:

Shadow IDS released and maintained by the Naval Surface Warfare Center is considered to be a pioneering product in the field of Intrusion Detection. Its roots are entrenched in a time period when there was a general overall lack of tools that could handle and process large volumes of events in near real time. Fundamentally, when it was created its purpose was to facilitate post analysis whereby the person(s) responsible for monitoring a network or even simply for administering a network could go back to the logs created by Shadow IDS and replay them looking for clues or evidence to support their analysis.

As the field of Infosec and IDS in particular has advanced, a shift has occurred whereby analysts are more focused on the operational nature of monitoring networks and reducing the exposure time that events of interest (EOI's) go undetected. By reducing reaction times and detecting events in near real time the overall impact is often lowered. Shadow IDS has not kept up with this changing climate, maintaining its original purpose as a post analysis tool.

Shadow IDS and accompanying analysis tools are primarily a collection of PERL scripts and BPF filters used with tcpdump as an underlying packet capture engine.

Shadow NRT:

By modifying the commands within these PERL scripts we are capable of 'enabling' analysts with more precisely requested information in near real time. This is possible partially through the use of BPF filters. The resulting logs can then be forwarded to a third party log correlation tool for further analysis.

Documentation and configuration information is available from the NSWC website.

The Shadow NRT modifications discussed within this document are targeted specifically towards a distribution of NSWC's Shadow IDS on Slackware Linux. This distribution is maintained by Guy Bruneau aka 'seeker'. More specific configuration information on the Shadow IDS on Slackware Linux distribution available at:

http://www.whitehats.ca/main/members/Seeker/seeker_shadow_IDS/seeker_shadow_ids.html.

Shadow NRT modification assumes the reader has installed Shadow IDS from the image at:

http://www.whitehats.ca/downloads/ids/shadow-slack/shadow.iso

Two Approaches:

  1. Singular - Start up Shadow IDS to log in its traditional format and send copies of all these logs to the third party logging and correlation machine. This will send a copy of every packet to the third party correlation device as well as log to local files in the traditional Shadow style. This method only uses one BPF filter and the log files are not compressed until hourly cut-offs are reached.

  2. Parallel - Start another incarnation of Shadow in parallel with the traditional Shadow IDS to only send packets of interest to the third party logging and correlation machine separately from the original Shadow incarnation. This will send fewer packets, specified by the parallel BPF filter.

We will address both of the two approaches in greater detail below..

The Simple Method:

I have prepared an installation and configuration script that will automate almost all of the steps required to get Shadow NRT working for you. The files included are only intended for use with Shadow IDS on Slackware Linux. You are strongly urged to back up any critical files before attempting to apply this sensor modification. The install script and support files are available at http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/. Alternately, you can configure your sensor manually by following the instructions further down in this document. To use the simple method:

1.
Download the install_shadow_nrt.sh script and sensor_scripts.tgz file and place them in your /tmp directory.
 
  http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/install_shadow_nrt.sh
  http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/sensor_scripts.tgz
2.
As the root user on your Shadow sensor - do the following.
3.
cd /tmp
4.
chmod 744 install_shadow_nrt.sh
5.
./install_shadow_nrt.sh
6.
Follow the prompts on screen and answer the questions when asked. There are a few configuration tweaks built into the script too which address the rc.firewall script, look at your lilo.conf, and will try to probe for more network drivers for you in a search for 'eth1'.
7.
If you're not using an Out of Band network for management and log forwarding you'll need to modify the appropriate filters (singular.filter or parallel.filter) to cease logging UDP syslog messages from your Shadow sensor.
8.
While rebooting your system isn't absolutely necessary - the install script may have left your system in an inoperational state while making changes. The simplest way to ensure your system is working properly and can init properly from a power cycle or reboot is to reboot it and see. Do this now.
9.
Enable the 3rd party device or your central log server to accept syslog from your Shadow sensor.

The Manual Method:

Below are instructions on how to configure your Shadow sensor manually. If you've installed Shadow IDS from a different source than Seekers Shadow IDS on Slackware Linux your paths and file locations may be different but generally, you should be able to follow the directions below and manually configure Shadow NRT.

How to configure Common Syslog Forwarding:

A certain amount of pre-configuration is required. I've chosen to use syslogd to forward logs. This requires setting up syslogd to forward to a central logging facility. You could modify this to use any type of forwarding mechanism that suits your purposes (i.e. stunnel, snmp etc). For use with this document however we'll proceed with configuration info specific to syslogd. This configuration will probably remain constant for either approach listed above so you should only need to do it once, enabling either method you choose to forward via syslog. I choose syslog because it is UDP based with lower processing overhead and bandwidth requirements and syslogd is well supported by 3rd party vendors as a logging mechanism.

  1. Edit your syslog.conf file and make an entry 'local2.debug @correlationbox'. Make sure you are not already logging facility local2 somewhere else.
  2. Edit your /etc/hosts file and add an entry for correlationbox as such '10.0.0.1 correlationbox' where the IP address is your correlationbox's IP. If correlationbox resolves by DNS or other means this isn't required however it is recommended anyway.
  3. Configure the remote server to accept logs from your Shadow Sensor.
  4. Edit /etc/rc.d/rc.syslog and add the -r option to syslogd for when it starts. Do the same for /etc/rc.d/rc.inet2. The entry should read echo -n " /usr/sbin/syslogd -r"
  5. Restart the syslog daemon to implement the changes (i.e. /etc/rc.d/rc.syslog restart)
  6. You may have to edit FW/Filtering devices to allow outbound UDP 514 from the Shadow IDS to the correlationbox. If you're not doing egress filtering you probably don't have to worry about this however egress filtering is always recommended and output chain policies should in most cases be configured to DENY.
  7.    
    For IPCHAINS  
      Edit /etc/rc.d/rc.firewall and add the following under the line "# EDIT THESE TO SUIT YOUR SYSTEM AND ISP."  
      correlationbox="10.0.0.1" # Central Syslog Server or Correlation System  
         
      Edit /etc/rc.d/rc.firewall and add the following information in the UDP section:  
     

     

    # SYSLOG (514)
    # ----------------------
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514 -d $correlationbox -j ACCEPT
     
           
    For IPTABLES  
      Edit /etc/rc.d/rc.firewall and add the following under the line "# EDIT THESE TO SUIT YOUR SYSTEM AND ISP."  
        LOGHOST_IP="10.0.0.1" # Central Syslog Server or Correlation System  
           
      Edit /etc/rc.d/rc.firewall and add the following information in the UDP section:  
        iptables -A OUTPUT -p udp -s $MYIP -d $LOGHOST_IP --dport 514 -j ACCEPT  
           
  8. Double check your syslog.conf settings and make sure your /var/log/messages file isn't growing at an astronomical rate. If it is you will have to check your syslog settings to ensure your only writing to a remote syslog server/correlation device and both locally and remotely at the same time (unless you prefer to do so as well... however I don't recommend this for performance reasons).

Singular Shadow NRT:

Some people may wish to forward a copy of every packet (in ASCII) to their correlationbox in addition to keeping a local copy of the RAW pcap logs for reference and replay in the future. This creates a lot of extra overhead when you consider how busy some Shadow IDS boxes are. This will depend on your sensors deployment location, the amount of traffic on the segment, and the filter Shadow IDS is started with. In reality the true benefit of this Shadow IDS setup is to copy all traffic picked up by Shadow IDS to a third party correlation engine. It is presumed that this third party engine will write incoming events into a relational database, breaking up fields in the incoming events into more useful chunks of information that can then be analyzed with greater effectiveness. It is at the third party device that management of what is written or not written will occur - leaving management of the actual sensor itself as less of a priority where analysts might not even have access to start or stop processes on the sensor.

So, how do we accomplish this? We again modify a few of the Shadow IDS PERL scripts. We tell Shadow IDS to write a local log file just as before but to also re-read this file as it is being written and forward new events off in ASCII format to the syslog facility configured in the previous Common Syslog Forwarding section. We then leave it up to syslogd to forward the events onwards to our correlationbox.

  1. Make a copy of your start_logger.pl script as a backup (/usr/local/SHADOW/sensor/start_logger.pl)
  2. Make a copy of your stop_logger.pl script as a backup (/usr/local/SHADOW/sensor/stop_logger.pl)
  3. Make a copy of your sensor_driver.pl script as a backup (/usr/local/SHADOW/sensor/sensor_driver.pl)
  4. Copy the attached file to /usr/local/SHADOW/sensor/start_logger_singular.pl
  5. Copy the attached file to /usr/local/SHADOW/sensor/stop_logger_singular.pl
  6. Copy the attached file to /usr/local/SHADOW/sensor/sensor_driver_singular.pl
  7. Edit /etc/rc.d/rc.local and change the line that reads:
  8.      
      /usr/local/SHADOW/sensor/start_logger.pl gmt  
        to read  
      /usr/local/SHADOW/sensor/start_logger_singular.pl GMT  
  9. Edit root's crontab by typing crontab -e (using VI) at the command prompt. Make note of the command below so you can change it back should you need to. Then edit:
  10.   0 * * * * /usr/local/SHADOW/sensor/sensor_driver.pl GMT> /dev/null 2>1&  
        to read  
      0 * * * * /usr/local/SHADOW/sensor/sensor_driver_singular.pl GMT&  
         
  11. Reboot the Shadow IDS to affect the changes or
  12. Double check your syslog.conf settings and make sure your /var/log/messages file isn't growing at an astronomical rate (i.e. syslogd writing a copy to this file as well)
  13. Type ps -ef at a command prompt and see if both the original Shadow IDS and your new version are both running. The process will be tcpdump. Processes running from start_logger_singular.pl should look similar to the listing below:
       
     

    root 2287 1 0 10:00 ? 00:00:00 /usr/sbin/tcpdump -i eth1 -l -s 150 -w - -F /usr/local/SHADOW/sensor/singular.filter
    root 2288 1 0 10:00 ? 00:00:00 tail -f /LOG/RAW/gmt/tcp.2003093010
    root 2289 1 0 10:00 ? 00:00:00 tcpdump -r - -nv
    root 2290 1 0 10:00 ? 00:00:00 logger -p local2.debug -t SHADOW_S

       
  14. You can also execute more /LOG/RAW/gmt/gmt.pid2 to confirm that the number listed matches the PID of the tcpdump process collecting events for forwarding.
  15. Check the correlationbox to make sure it is receiving logs

Parallel Shadow NRT:

Quite simply, I edited the start_logger.pl and stop_logger.pl script and directed this parallel instance of Shadow IDS to only forward logs to another host. This approach allows for the analyst to specify a different filter than the original instance of Shadow IDS thereby limiting what is forwarded over the network. This is great for capturing only certain EOI's as defined by the analyst limited only by what can be done within Berkeley Packet Filters (BPF Filters). The process is handled (albeit in a crude manner) separately from the original instance of Shadow IDS.

Executing the stop_logger_parallel.pl script will stop the process and subsequently any forwarding of logs. This is a process that will not stop and start on hourly intervals and is meant to be started by an analyst and then turned off when they no longer need to cover the Events for which this instance of Shadow IDS was started to protect. As you can see, this is not really a solid implementation of Shadow IDS but rather just reuse of a Shadow IDS script to start up tcpdump for the analyst and forward it to another location. The mechanism I've implemented for forwarding isn't extremely efficient and could be improved upon. If you've got suggestions or want to help send an email to malik at whitehats.ca.

  1. Make a backup copy of your start_logger.pl (/usr/local/SHADOW/sensor/start_logger.pl)
  2. Make a backup copy of your stop_logger.pl script (/usr/local/SHADOW/sensor/stop_logger.pl)
  3. Make a backup copy of your sensor_driver.pl script (/usr/local/SHADOW/sensor/sensor_driver.pl)
  4. Make a backup copy of your gmt.filter script (/usr/local/SHADOW/sensor/gmt.filter)
  5. Untar the sensor_scripts.tgz file you downloaded earlier (tar xvfz /tmp/sensor_scripts.tgz)
  6. Make sure the file start_logger_parallel.pl exists (/usr/local/SHADOW/sensor/start_logger_parallel.pl)
  7. Make sure the file start_logger_parallel.pl exists (/usr/local/SHADOW/sensor/stop_logger_parallel.pl)
  8. Make sure the file start_logger_parallel.pl exists (/usr/local/SHADOW/sensor/sensor_driver_parallel.pl)
  9. Copy gmt.filter to /usr/local/SHADOW/sensor/parallel.filter
  10. Edit the parallel.filter file and incorporate the BFP filter you wish to use with this instance of Shadow.
  11. Reboot the Shadow IDS (you don't have to reboot the box - you can flush your firewall rules manually) however in the interest of not locking yourself out of a production sensor I suggest rebooting.
  12. Double check your syslog.conf settings and make sure your /var/log/messages file isn't growing at an astronomical rate - with syslogd writing a copy to this file as well.
  13. Start the Shadow Process (i.e. /usr/local/SHADOW/sensor/start_logger_parallel.pl GMT&)
  14. Type Ps -ef at a command prompt and see if both the original Shadow IDS and your new version are both running. The process will be tcpdump. Processes running from start_logger_parallel.pl should look similar to the listing below:

  15.  

    root 919 1 0 Sep29 ? 00:00:00 /usr/sbin/tcpdump -i eth1 -l -s 150 -w - -F /usr/local/SHADOW/sensor/parallel.filter
    root 920 1 0 Sep29 ? 00:00:00 tcpdump -r - NV
    root 921 1 0 Sep29 ? 00:00:01 logger -p local2.debug -t SHADOW_P

     

As a side note, you could start this process externally from Shadow right from the command line by typing:

/path/to/tcpdump -s 150 -w - -F /usr/local/SHADOW/sensor/my.filter | /path/to/tcpdump -r - NV | logger -p local2.debug -t SHADOW_P&

To stop the process you can run /usr/local/SHADOW/sensor/stop_logger_parallel.pl GMT&

No extra files will be created on the drive so you'll have to use the correlationbox to review the logs received. The logs will be in ASCII format and output will depend upon the switches used when starting up the forwarder process. For instance if you want to have more verbose output you would start up the process with -nvv vice NV as listed above, to include a datetime stamp you might want to start it with -nvv -tttt. Remember that if you're building correlation rules that do post processing on the correlation box, changing the output will very likely affect your prior rules as the output format will have changed. It is recommended that you pick a format that fulfills your requirements today and into the future and stick with this.

Changes to Original Shadow Files:

Many lines were commented out ref handling the processes started by Shadow IDS.

The sensor_driver_singular.pl and sensor_driver_parallel.pl scripts are used for each respective mode with the main change being each calls the respectively named start_logger and stop_logger PERL scripts.

To stop the process you can run /usr/local/SHADOW/sensor/stop_logger_singular.pl GMT&

Included below is a shell script I've created to install Shadow Near Real Time modification on 'Shadow IDS on Slackware Linux (versions 3.0 thru 4.1)'. There is no uninstall script at this time however it isn't difficult to follow the above documentation and reverse all the changes made if you decide not to use Shadow NRT at a later date. Also, I have not had any user feedback on this so far as I'm the only one I know using it. I'd also consider it to be Alpha so if you run into problems send me a brief description of what occurred and what you think happened and I'll see if I can figure out the issue and correct it.

Happy correlating with Shadow NRT!

###################################################################################

install_shadow_nrt.sh

#!/usr/bin/bash

clear

CHECK=1
MYDATE=(`date +%s`)

echo ""
echo " ########################################################################"
echo " ########################################################################"
echo " ##                                                                    ##"
echo " ## SHADOW NEAR REAL TIME - Installation Script   v 0.1                ##"
echo " ##                                                                    ##"
echo " ## This is an installation script that will modify system settings    ##"
echo " ## and configure Shadow IDS to send logs in Near Real Time to another ##"
echo " ## loghost via syslog (UDP port 514).                                 ##"
echo " ##                                                                    ##"
echo " ## Written by Jamie French - Oct 2003                                 ####################"
echo " ##                                                                    ####################"
echo " ##                                                                                      ##"
echo " ## http://www.whitehats.ca/main/members/Malik/malik_shadow_nrt/malik_shadow_nrt.html    ##"
echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/install_shadow_nrt.sh  ##"
echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/sensor_scripts.tgz     ##"
echo " ##                                                                                      ##"
echo " ## Released under the GNU GPL - http://www.gnu.org/copyleft/gpl.html          ############"
echo " ##                                                                            ############"
echo " ## This program is free software; you can redistribute it and/or              ##"
echo " ## modify it under the terms of the GNU General Public License                ##"
echo " ## as published by the Free Software Foundation; either version 2             ##"
echo " ## of the License, or (at your option) any later version.                     ##"
echo " ##                                                                            ##"
echo " ## This program is distributed in the hope that it will be useful,            ##"
echo " ## but WITHOUT ANY WARRANTY; without even the implied warranty of             ##"
echo " ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              ##"
echo " ## GNU General Public License for more details.                               ##"
echo " ##                                                                            ##" 
echo " ################################################################################"
echo " ################################################################################"
echo ""

sleep 1
echo "We're shutting down Shadow..."
/usr/local/SHADOW/sensor/stop_logger.pl gmt 2>/dev/null 
echo ""
clear

echo " Do you want to install Shadow Singular or Parallel (S/P)?"
echo ""
echo "   Singular - Start up Shadow IDS to log in its traditional format and send copies"
echo "              of all these logs to the third party logging and correlation machine."
echo ""
echo "   Parallel - Start another incarnation of Shadow in parallel with the traditional "
echo "              Shadow IDS. The parallel Shadow will only send packets of interest to"
echo "              the third party logging and correlation machine."
echo ""
echo -n "(S)ingular or (P)arallel: ";
read WHICH_SHADOW_NRT
echo ""

if [ $WHICH_SHADOW_NRT != "S" ]; then
 TEST1=0
elif [ $WHICH_SHADOW_NRT != "P" ]; then
 TEST1=0
else
 echo " You did not enter a 'S' or a 'P' to choose the mode to install.  Restart the script..."
 exit 1
fi



KERNEL_VER=(`uname -a | awk '{print $3}'`)
MOD_PATH="/lib/modules/$KERNEL_VER/kernel/drivers/net"
DATE=(`date +%s`)
COUNTER=1

ETH1_EXISTS2=(`ifconfig -a | grep eth1`)
if [ -n "$ETH1_EXISTS2" ]; then
 echo "Driver for eth1 is already loaded" 
else 
  echo " You do not have a driver loaded for eth1!"
  echo -n " Would you like to do a more thorough probe (Y/N): ";
  read PROBE
  if [ $PROBE == "Y" ];
  then
    for foo in /lib/modules/$KERNEL_VER/kernel/drivers/net/*.o.gz
     do 
      MYBASE=(`basename $foo .o.gz`)
      echo -en "\033[7;44m\033[1;33m$COUNTER\033[3D";
      echo -en "\033[0m";
      COUNTER=$(($COUNTER + 1))
      /sbin/modprobe -q $MYBASE 2>1
      ping -c 2 127.0.0.1 > /dev/null 2>1&
      ETH1_EXISTS=(`ifconfig -a | grep eth1`)
      if [ $CHECK == 1 ]; then
       if [ -z "$ETH1_EXISTS" ]; then
		echo -en "\033[0m";
		CHECK=1
       else
		echo -e "Interface ETH1 driver is \033[7;44m\033[0;33m$foo\033[0m";
		echo "Modifying /etc/rc.d/rc.modules to load at boot"
		cp /etc/rc.d/rc.modules /etc/rc.d/rc.modules_$DATE
		cat /etc/rc.d/rc.modules | sed 's/#\/sbin\/modprobe '$MYBASE'/\/sbin\/modprobe '$MYBASE'/' > /etc/rc.d/rc.modules.bak
		mv /etc/rc.d/rc.modules.bak /etc/rc.d/rc.modules
		chmod 755 /etc/rc.d/rc.modules
		CHECK=0
       fi  
      fi
     done
  fi
fi




echo -n " What is the hostname of the central log host you want to write to: ";
read LOGHOST
echo ""

LOGHOST_EXISTS=`(cat /etc/hosts | grep $LOGHOST)`

if [ -z "$LOGHOST_EXISTS" ] ; then
# echo "LOGHOST_EXISTS is zero length"
 LOGHOST_EXISTS=1
 echo " Your central log host is not in your /etc/hosts file.  We will add it now."
 echo ""
 echo -n " Enter the IP address of your log host: ";
 read LOGHOST_IP
 echo ""
 cp /etc/hosts /etc/hosts_shadow_nrt
 echo "$LOGHOST_IP                    $LOGHOST" >> /etc/hosts
else
 LOGHOST_IP=(`cat /etc/hosts | grep $LOGHOST | awk '{print $1}'`)
fi


LOGHOST_SYSLOG=`(cat /etc/syslog.conf | grep $LOGHOST)`

if [ -z "$LOGHOST_SYSLOG" ]; then
# echo "LOGHOST_SYSLOG is zero length"
 echo " Your central log host is not configured in your /etc/syslog.conf file.  We will add it now."
 echo ""
 echo "local2.debug                               @$LOGHOST" >> /etc/syslog.conf
fi

LOGHOST_SYSLOG_R=`(cat /etc/rc.d/rc.syslog | grep "/usr/sbin/syslogd -r")`

if [ -z "$LOGHOST_SYSLOG_R" ]; then
# echo "LOGHOST_SYSLOG_R is zero length"
 echo " Your syslog daemon is not configured to send logs to a remote central log host.  We will configure this now."
 echo ""
 cp /etc/rc.d/rc.syslog /etc/rc.d/rc.syslog_shadow_nrt
 echo " A backup of the original config was copied to /etc/rc.d/rc.syslog_shadow_nrt"
 echo ""
 cat /etc/rc.d/rc.syslog | sed 's/  \/usr\/sbin\/syslogd/  \/usr\/sbin\/syslogd -r/g' > /etc/rc.d/rc.syslog_tmp
 mv /etc/rc.d/rc.syslog_tmp /etc/rc.d/rc.syslog
 chmod 744 /etc/rc.d/rc.syslog
fi


LOGHOST_SYSLOG_R_INET2=`(cat /etc/rc.d/rc.inet2 | grep "/usr/sbin/syslogd -r")`

if [ -z "$LOGHOST_SYSLOG_R_INET2" ]; then
# echo "LOGHOST_SYSLOG_R_INET2 is zero length"
 echo " Your syslog daemon is not configured to send logs to a remote central log host at system startup.  We will configure this now."
 echo ""
 cp /etc/rc.d/rc.inet2 /etc/rc.d/rc.inet2_shadow_nrt
 echo " A backup of the original config was copied to /etc/rc.d/rc.inet2_shadow_nrt"
 echo ""
 cat /etc/rc.d/rc.inet2 | sed 's/  \/usr\/sbin\/syslogd/  \/usr\/sbin\/syslogd -r/' > /etc/rc.d/rc.inet2_tmp
 mv /etc/rc.d/rc.inet2_tmp /etc/rc.d/rc.inet2
fi

MYIP=(`cat /etc/rc.d/rc.inet1.conf | grep "IPADDR\[0\]" | awk -F= '{print $2}' | sed 's/"//g'`)

# Which version of FW are we working with?
FW_VERSION1=`(grep "# Version" /etc/rc.d/rc.firewall)`
FW_VERSION=`(echo $FW_VERSION1 | sed 's/[a-zA-Z #]\{1,15\}//')`
echo " Firewall Version in use is $FW_VERSION"
echo -e " Firewall configuration file is \033[7;44m\033[1;33m/etc/rc.d/rc.firewall\033[0m";
echo ""
echo " A backup of the original rc.firewall config was copied to /etc/rc.d/rc.firewall_shadow_nrt"
echo ""
if [ $FW_VERSION == "1.0" ]; then
 echo " We have NOT fully tested version 1.0 modifications yet..."
 echo " You should manually confirm your firewall config afterwards."
 echo ""
 cat /etc/rc.d/rc.firewall | sed 's/This sensor.s IP address/# Central log servers address\
\
'$LOGHOST'="'$LOGHOST_IP'"\
\
# This sensors IP address\
MYIP="192.168.30.20"/' > /etc/rc.d/rc.firewall
 cp /tmp/test.txt /tmp/mytest.txt
 echo "" >> /etc/rc.d/rc.firewall
 echo "# OUTPUT Table Rules" >> /etc/rc.d/rc.firewall
 echo "# Allow outbound UDP syslog to central log host" >> /etc/rc.d/rc.firewall
 echo "iptables -A OUTPUT -s \$MYIP -p udp -destination \$$LOGHOST --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall
 echo " Watch out - default FW rules for INPUT, OUTPUT, FORWARD are ACCEPT!"
 echo ""
elif [ $FW_VERSION == "1.1" ]; then
 cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_bak_$MYDATE
 echo " We have NOT fully tested version 1.1 modifications yet..."
 echo " You should manually confirm your firewall config afterwards."
 echo ""

 cat /etc/rc.d/rc.firewall | grep -v "Accept time update" | grep -v "TIMESERVER -p udp" | grep -v "MYDNS -p udp" | grep -v "\--dport 514 -j ACCEPT" | grep -v "DNS traffic, send syslog" > /etc/rc.d/rc.firewall2

 sed 's/MYIP=.*/MYIP='$MYIP'/' /etc/rc.d/rc.firewall2 > /etc/rc.d/rc.firewall

 echo "" >> /etc/rc.d/rc.firewall
 echo "# Accept time update, DNS traffic, send syslog" >> /etc/rc.d/rc.firewall
 echo "" >> /etc/rc.d/rc.firewall
 echo "iptables -A INPUT -i eth0 -s \$TIMESERVER -p udp --dport 123 -j ACCEPT" >> /etc/rc.d/rc.firewall
 echo "iptables -A OUTPUT -p udp -s \$MYIP -d $LOGHOST_IP --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall
 echo "iptables -A INPUT -i eth0 -s \$MYDNS -p udp --sport 53 -j ACCEPT" >> /etc/rc.d/rc.firewall
else
 echo " Firewall version is pre 1.0..."
 echo ""


LOGHOST_FW=`(cat /etc/rc.d/rc.firewall | grep $LOGHOST_IP)`

  if [ -z "$LOGHOST_FW" ]; then
#   echo "LOGHOST_FW is zero length"
   echo " Your IPCHAINS Firewall is not configured to allow logs to be forwarded to the central log host.  We will configure this now."
   echo ""
   cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_shadow_nrt
   echo " A backup of the original config was copied to /etc/rc.d/rc.firewall_shadow_nrt"
   echo ""
 cat /etc/rc.d/rc.firewall | sed 's/LOOPBACK="127.0.0.0\/8"                  # reserved loopback address range/'$LOGHOST'="1.2.3.4\/32"                       # central log host\
\
LOOPBACK="127.0.0.0\/8"                  # reserved loopback address range\
/' > /etc/rc.d/rc.firewall_3
 cat /etc/rc.d/rc.firewall_3 | sed 's/    # NTP TIME clients (123)/    # SYSLOG (514)\
    # ----------------------\
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514 -d $'$LOGHOST' -j ACCEPT \
\
    # ------------------------------------------------------------------\
    # NTP TIME clients (123)/' > /etc/rc.d/rc.firewall
 rm /etc/rc.d/rc.firewall_3
 fi
fi

echo " We are making a backup of the current Shadow PERL scripts in the /usr/local/SHADOW/sensor directory."
echo ""
cp /usr/local/SHADOW/sensor/start_logger.pl /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/start_logger.pl to /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/stop_logger.pl /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/stop_logger.pl to /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/sensor_driver.pl /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/sensor_driver.pl to /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt
echo " Copied /usr/local/SHADOW/sensor/gmt.filter to /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt"
echo ""

echo " Creating our custom Shadow PERL scripts..."
echo ""
SENSOR_SCRIPT_PATH=`(ls -l | grep sensor_scripts.tgz)`

if [ -z "$SENSOR_SCRIPT_PATH" ]; then
 echo " We could not find the sensor_scripts.tgz file.  We need this.  Searching..."
 echo ""
 SENSOR_SCRIPT_PATH2=`(find / -name sensor_scripts.tgz)`
# echo "SENSOR_SCRIPT_PATH2 is eq $SENSOR_SCRIPT_PATH2"

 declare -a array1
 array1=( `echo $SENSOR_SCRIPT_PATH2 | tr '\n' ' ' | awk '{print $1}'`)
 SENSOR_SCRIPT_PATH2=${array1[0]}
# echo "SENSOR_SCRIPT_PATH2 array is eq $SENSOR_SCRIPT_PATH2"

 if [ -z $SENSOR_SCRIPT_PATH2 ]; then
  echo " You need to copy the the sensor_scripts.tgz file to your system and restart the installation.  We are exiting now..."
  exit 1
 else
  echo -n " Do you want to use this sensor_scripts.tgz file? $SENSOR_SCRIPT_PATH2 (Y/N): ";
  read SENSOR_PATH_YES
  echo ""
 fi

 if [ $SENSOR_PATH_YES == "Y" ]; then
  tar xvfz $SENSOR_SCRIPT_PATH2 -C /
  echo ""
  TEST=1
 else
  echo " You didn't enter a 'Y' - we are exiting..."
  exit 1
 fi
fi

if [ "$TEST" != 1 ]; then
 tar xvfz ./sensor_scripts.tgz -C /
 echo ""
fi

#START_LOGGER_S=`(find / -name start_logger_singular.pl)`
#STOP_LOGGER_S=`(find / -name stop_logger_singular.pl)`
#SENSOR_DRIVER_S=`(find / -name sensor_driver_singular.pl)`

#START_LOGGER_P=`(find / -name start_logger_parallel.pl)`
#STOP_LOGGER_P=`(find / -name stop_logger_parallel.pl)`
#SENSOR_DRIVER_P=`(find / -name sensor_driver_parallel.pl)`

#echo "START_LOGGER_S is $START_LOGGER_S"
#echo "STOP_LOGGER_S is $STOP_LOGGER_S"
#echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S"
#echo "START_LOGGER_S is $START_LOGGER_S"
#echo "STOP_LOGGER_S is $STOP_LOGGER_S"
#echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S"

grep -v "/usr/local/SHADOW/sensor/sensor_driver" /var/spool/cron/crontabs/root > /var/spool/cron/crontabs/crontab_root
cat /dev/null > /tmp/rc.local_tmp

if [ $WHICH_SHADOW_NRT == "S" ]; then
 echo " You need to edit your /usr/local/SHADOW/sensor/singular.filter file involked with Shadow Singular"
 echo " We've copied your gmt.filter to singular.filter for a base to edit..."
 echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created...";
 cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/singular.filter
 echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver_singular.pl gmt&" >> /var/spool/cron/crontabs/crontab_root
 echo " We have modified cron to start Shadow IDS in SINGULAR mode."
 echo ""
 mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root
 #echo "$CHECK is CHECK"
# if [ "$CHECK" == 0 ]; then
#   echo "/sbin/ifconfig eth1 up" > /tmp/rc.local_tmp
# fi
 cp /etc/rc.d/rc.local /etc/rc.d/rc.local_shadow_nrt_bak
 grep -v "start_logger" /etc/rc.d/rc.local >> /tmp/rc.local_tmp
 sed 's/rc.firewall/rc.firewall\
\
echo "Starting Shadow Singular..."\
\/usr\/local\/SHADOW\/sensor\/start_logger_singular.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local
 chmod u+x /etc/rc.d/rc.local
 chmod u+x /etc/rc.d/rc.local
elif [ $WHICH_SHADOW_NRT == "P" ]; then
 echo " You need to edit your /usr/local/SHADOW/sensor/parallel.filter file involked with Shadow Parallel"
 echo " We've copied your gmt.filter to parallel.filter for a base to edit..."
 echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created...";
 cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/parallel.filter
 echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver.pl gmt&" >> /var/spool/cron/crontabs/crontab_root
 echo " We have modified cron to start Shadow IDS in PARALLEL mode."
 echo ""
 mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root
 grep -v "sensor_driver" /etc/rc.d/rc.local > /etc/rc.d/rc.local_tmp
 sed 's/rc.firewall/rc.firewall\
\
echo "Starting Shadow Parallel..."\
\/usr\/local\/SHADOW\/sensor\/start_logger_parallel.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local
 chmod u+x /etc/rc.d/rc.local
else
 echo " We are not sure which mode you want to use.  The WHICH_SHADOW_NRT variable was not an 'S' or a 'P'.  We are exiting."
 exit 1
fi 

LILO_CONFIG=(`cat /etc/lilo.conf | grep "timeout = 1200" | awk '{print $3}'`)
if [ "$LILO_CONFIG" == 1200 ]; then
 echo " Looks like you're /etc/lilo.conf could use some tweaking to improve your"
 echo " boot timeout and possibly your video modes.  Edit the file manually."
 echo ""
fi

echo " Congratulations.  Installation is complete.  Reboot your sensor for the changes to take affect."
echo " DONE!"
exit 0

 


Non-Active Sitemap

Copyright © 2000-2014 Whitehats.ca
Contact Information 519.221.9132 : Web Contact webmaster@whitehats.ca