 |
 |
|
|
|
|
|
Shadow IDS released and maintained by the Naval Surface Warfare Center is considered to be a pioneering product in the field of Intrusion Detection. Its roots are entrenched in a time period when there was a general overall lack of tools that could handle and process large volumes of events in near real time. Fundamentally, when it was created its purpose was to facilitate post analysis whereby the person(s) responsible for monitoring a network or even simply for administering a network could go back to the logs created by Shadow IDS and replay them looking for clues or evidence to support their analysis.
As the field of Infosec and IDS in particular has advanced, a shift has occurred whereby analysts are more focused on the operational nature of monitoring networks and reducing the exposure time that events of interest (EOI's) go undetected. By reducing reaction times and detecting events in near real time the overall impact is often lowered. Shadow IDS has not kept up with this changing climate, maintaining its original purpose as a post analysis tool.
Shadow IDS and accompanying analysis tools are primarily a collection of PERL scripts and BPF filters used with tcpdump as an underlying packet capture engine.
By modifying the commands within these PERL scripts we are capable of 'enabling'
analysts with more precisely requested information in near real time. This
is possible partially through the use of BPF filters. The resulting logs can
then be forwarded to a third party log correlation tool for further analysis.
Documentation and configuration information is available from the NSWC website.
The Shadow NRT modifications discussed within this document are targeted specifically towards a distribution of NSWC's Shadow IDS on Slackware Linux. This distribution is maintained by Guy Bruneau aka 'seeker'. More specific configuration information on the Shadow IDS on Slackware Linux distribution available at:
http://www.whitehats.ca/main/members/Seeker/seeker_shadow_IDS/seeker_shadow_ids.html.
Shadow NRT modification assumes the reader has installed Shadow IDS from the image at:
http://www.whitehats.ca/downloads/ids/shadow-slack/shadow.iso
We will address both of the two approaches in greater detail below..
I have prepared an installation and configuration script that will automate almost all of the steps required to get Shadow NRT working for you. The files included are only intended for use with Shadow IDS on Slackware Linux. You are strongly urged to back up any critical files before attempting to apply this sensor modification. The install script and support files are available at http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/. Alternately, you can configure your sensor manually by following the instructions further down in this document. To use the simple method:
|
1.
|
Download the install_shadow_nrt.sh script and sensor_scripts.tgz file and place them in your /tmp directory. | ||||
|
|||||
|
2.
|
As the root user on your Shadow sensor - do the following. | ||||
|
3.
|
cd /tmp | ||||
|
4.
|
chmod 744 install_shadow_nrt.sh | ||||
|
5.
|
./install_shadow_nrt.sh | ||||
|
6.
|
Follow the prompts on screen and answer the questions when asked. There are a few configuration tweaks built into the script too which address the rc.firewall script, look at your lilo.conf, and will try to probe for more network drivers for you in a search for 'eth1'. | ||||
|
7.
|
If you're not using an Out of Band network for management and log forwarding you'll need to modify the appropriate filters (singular.filter or parallel.filter) to cease logging UDP syslog messages from your Shadow sensor. | ||||
|
8.
|
While rebooting your system isn't absolutely necessary - the install script may have left your system in an inoperational state while making changes. The simplest way to ensure your system is working properly and can init properly from a power cycle or reboot is to reboot it and see. Do this now. | ||||
|
9.
|
Enable the 3rd party device or your central log server to accept syslog from your Shadow sensor. |
Below are instructions on how to configure your Shadow sensor manually. If you've installed Shadow IDS from a different source than Seekers Shadow IDS on Slackware Linux your paths and file locations may be different but generally, you should be able to follow the directions below and manually configure Shadow NRT.
A certain amount of pre-configuration is required. I've chosen to use syslogd to forward logs. This requires setting up syslogd to forward to a central logging facility. You could modify this to use any type of forwarding mechanism that suits your purposes (i.e. stunnel, snmp etc). For use with this document however we'll proceed with configuration info specific to syslogd. This configuration will probably remain constant for either approach listed above so you should only need to do it once, enabling either method you choose to forward via syslog. I choose syslog because it is UDP based with lower processing overhead and bandwidth requirements and syslogd is well supported by 3rd party vendors as a logging mechanism.
| For IPCHAINS | |||
| Edit /etc/rc.d/rc.firewall and add the following under the line "# EDIT THESE TO SUIT YOUR SYSTEM AND ISP." | |||
| correlationbox="10.0.0.1" # Central Syslog Server or Correlation System | |||
| Edit /etc/rc.d/rc.firewall and add the following information in the UDP section: | |||
|
|
#
SYSLOG (514) # ---------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514 -d $correlationbox -j ACCEPT |
||
| For IPTABLES | |||
| Edit /etc/rc.d/rc.firewall and add the following under the line "# EDIT THESE TO SUIT YOUR SYSTEM AND ISP." | |||
| LOGHOST_IP="10.0.0.1" # Central Syslog Server or Correlation System | |||
| Edit /etc/rc.d/rc.firewall and add the following information in the UDP section: | |||
| iptables -A OUTPUT -p udp -s $MYIP -d $LOGHOST_IP --dport 514 -j ACCEPT | |||
Some people may wish to forward a copy of every packet (in ASCII) to their correlationbox in addition to keeping a local copy of the RAW pcap logs for reference and replay in the future. This creates a lot of extra overhead when you consider how busy some Shadow IDS boxes are. This will depend on your sensors deployment location, the amount of traffic on the segment, and the filter Shadow IDS is started with. In reality the true benefit of this Shadow IDS setup is to copy all traffic picked up by Shadow IDS to a third party correlation engine. It is presumed that this third party engine will write incoming events into a relational database, breaking up fields in the incoming events into more useful chunks of information that can then be analyzed with greater effectiveness. It is at the third party device that management of what is written or not written will occur - leaving management of the actual sensor itself as less of a priority where analysts might not even have access to start or stop processes on the sensor.
So, how do we accomplish this? We again modify a few of the Shadow IDS PERL scripts. We tell Shadow IDS to write a local log file just as before but to also re-read this file as it is being written and forward new events off in ASCII format to the syslog facility configured in the previous Common Syslog Forwarding section. We then leave it up to syslogd to forward the events onwards to our correlationbox.
| /usr/local/SHADOW/sensor/start_logger.pl gmt | |||
| to read | |||
| /usr/local/SHADOW/sensor/start_logger_singular.pl GMT | |||
| 0 * * * * /usr/local/SHADOW/sensor/sensor_driver.pl GMT> /dev/null 2>1& | |||
| to read | |||
| 0 * * * * /usr/local/SHADOW/sensor/sensor_driver_singular.pl GMT& | |||
|
root
2287 1 0 10:00 ? 00:00:00 /usr/sbin/tcpdump -i eth1 -l -s 150 -w
- -F /usr/local/SHADOW/sensor/singular.filter |
|
Quite simply, I edited the start_logger.pl and stop_logger.pl script and directed this parallel instance of Shadow IDS to only forward logs to another host. This approach allows for the analyst to specify a different filter than the original instance of Shadow IDS thereby limiting what is forwarded over the network. This is great for capturing only certain EOI's as defined by the analyst limited only by what can be done within Berkeley Packet Filters (BPF Filters). The process is handled (albeit in a crude manner) separately from the original instance of Shadow IDS.
Executing the stop_logger_parallel.pl script will stop the process and subsequently any forwarding of logs. This is a process that will not stop and start on hourly intervals and is meant to be started by an analyst and then turned off when they no longer need to cover the Events for which this instance of Shadow IDS was started to protect. As you can see, this is not really a solid implementation of Shadow IDS but rather just reuse of a Shadow IDS script to start up tcpdump for the analyst and forward it to another location. The mechanism I've implemented for forwarding isn't extremely efficient and could be improved upon. If you've got suggestions or want to help send an email to malik at whitehats.ca.
|
root
919 1 0 Sep29 ? 00:00:00 /usr/sbin/tcpdump -i eth1 -l -s 150 -w -
-F /usr/local/SHADOW/sensor/parallel.filter |
As a side note, you could start this process externally from Shadow right from the command line by typing:
/path/to/tcpdump -s 150 -w - -F /usr/local/SHADOW/sensor/my.filter | /path/to/tcpdump -r - NV | logger -p local2.debug -t SHADOW_P&
To stop the process you can run /usr/local/SHADOW/sensor/stop_logger_parallel.pl GMT&
No extra files will be created on the drive so you'll have to use the correlationbox to review the logs received. The logs will be in ASCII format and output will depend upon the switches used when starting up the forwarder process. For instance if you want to have more verbose output you would start up the process with -nvv vice NV as listed above, to include a datetime stamp you might want to start it with -nvv -tttt. Remember that if you're building correlation rules that do post processing on the correlation box, changing the output will very likely affect your prior rules as the output format will have changed. It is recommended that you pick a format that fulfills your requirements today and into the future and stick with this.
Many lines were commented out ref handling the processes started by Shadow IDS.
The sensor_driver_singular.pl and sensor_driver_parallel.pl scripts are used for each respective mode with the main change being each calls the respectively named start_logger and stop_logger PERL scripts.
To stop the process you can run /usr/local/SHADOW/sensor/stop_logger_singular.pl GMT&
Included below is a shell script I've created to install Shadow Near Real Time modification on 'Shadow IDS on Slackware Linux (versions 3.0 thru 4.1)'. There is no uninstall script at this time however it isn't difficult to follow the above documentation and reverse all the changes made if you decide not to use Shadow NRT at a later date. Also, I have not had any user feedback on this so far as I'm the only one I know using it. I'd also consider it to be Alpha so if you run into problems send me a brief description of what occurred and what you think happened and I'll see if I can figure out the issue and correct it.
Happy correlating with Shadow NRT!
###################################################################################
install_shadow_nrt.sh
#!/usr/bin/bash
clear
CHECK=1
MYDATE=(`date +%s`)
echo ""
echo " ########################################################################"
echo " ########################################################################"
echo " ## ##"
echo " ## SHADOW NEAR REAL TIME - Installation Script v 0.1 ##"
echo " ## ##"
echo " ## This is an installation script that will modify system settings ##"
echo " ## and configure Shadow IDS to send logs in Near Real Time to another ##"
echo " ## loghost via syslog (UDP port 514). ##"
echo " ## ##"
echo " ## Written by Jamie French - Oct 2003 ####################"
echo " ## ####################"
echo " ## ##"
echo " ## http://www.whitehats.ca/main/members/Malik/malik_shadow_nrt/malik_shadow_nrt.html ##"
echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/install_shadow_nrt.sh ##"
echo " ## http://www.whitehats.ca/downloads/ids/shadow-slack/shadow_nrt/sensor_scripts.tgz ##"
echo " ## ##"
echo " ## Released under the GNU GPL - http://www.gnu.org/copyleft/gpl.html ############"
echo " ## ############"
echo " ## This program is free software; you can redistribute it and/or ##"
echo " ## modify it under the terms of the GNU General Public License ##"
echo " ## as published by the Free Software Foundation; either version 2 ##"
echo " ## of the License, or (at your option) any later version. ##"
echo " ## ##"
echo " ## This program is distributed in the hope that it will be useful, ##"
echo " ## but WITHOUT ANY WARRANTY; without even the implied warranty of ##"
echo " ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ##"
echo " ## GNU General Public License for more details. ##"
echo " ## ##"
echo " ################################################################################"
echo " ################################################################################"
echo ""
sleep 1
echo "We're shutting down Shadow..."
/usr/local/SHADOW/sensor/stop_logger.pl gmt 2>/dev/null
echo ""
clear
echo " Do you want to install Shadow Singular or Parallel (S/P)?"
echo ""
echo " Singular - Start up Shadow IDS to log in its traditional format and send copies"
echo " of all these logs to the third party logging and correlation machine."
echo ""
echo " Parallel - Start another incarnation of Shadow in parallel with the traditional "
echo " Shadow IDS. The parallel Shadow will only send packets of interest to"
echo " the third party logging and correlation machine."
echo ""
echo -n "(S)ingular or (P)arallel: ";
read WHICH_SHADOW_NRT
echo ""
if [ $WHICH_SHADOW_NRT != "S" ]; then
TEST1=0
elif [ $WHICH_SHADOW_NRT != "P" ]; then
TEST1=0
else
echo " You did not enter a 'S' or a 'P' to choose the mode to install. Restart the script..."
exit 1
fi
KERNEL_VER=(`uname -a | awk '{print $3}'`)
MOD_PATH="/lib/modules/$KERNEL_VER/kernel/drivers/net"
DATE=(`date +%s`)
COUNTER=1
ETH1_EXISTS2=(`ifconfig -a | grep eth1`)
if [ -n "$ETH1_EXISTS2" ]; then
echo "Driver for eth1 is already loaded"
else
echo " You do not have a driver loaded for eth1!"
echo -n " Would you like to do a more thorough probe (Y/N): ";
read PROBE
if [ $PROBE == "Y" ];
then
for foo in /lib/modules/$KERNEL_VER/kernel/drivers/net/*.o.gz
do
MYBASE=(`basename $foo .o.gz`)
echo -en "\033[7;44m\033[1;33m$COUNTER\033[3D";
echo -en "\033[0m";
COUNTER=$(($COUNTER + 1))
/sbin/modprobe -q $MYBASE 2>1
ping -c 2 127.0.0.1 > /dev/null 2>1&
ETH1_EXISTS=(`ifconfig -a | grep eth1`)
if [ $CHECK == 1 ]; then
if [ -z "$ETH1_EXISTS" ]; then
echo -en "\033[0m";
CHECK=1
else
echo -e "Interface ETH1 driver is \033[7;44m\033[0;33m$foo\033[0m";
echo "Modifying /etc/rc.d/rc.modules to load at boot"
cp /etc/rc.d/rc.modules /etc/rc.d/rc.modules_$DATE
cat /etc/rc.d/rc.modules | sed 's/#\/sbin\/modprobe '$MYBASE'/\/sbin\/modprobe '$MYBASE'/' > /etc/rc.d/rc.modules.bak
mv /etc/rc.d/rc.modules.bak /etc/rc.d/rc.modules
chmod 755 /etc/rc.d/rc.modules
CHECK=0
fi
fi
done
fi
fi
echo -n " What is the hostname of the central log host you want to write to: ";
read LOGHOST
echo ""
LOGHOST_EXISTS=`(cat /etc/hosts | grep $LOGHOST)`
if [ -z "$LOGHOST_EXISTS" ] ; then
# echo "LOGHOST_EXISTS is zero length"
LOGHOST_EXISTS=1
echo " Your central log host is not in your /etc/hosts file. We will add it now."
echo ""
echo -n " Enter the IP address of your log host: ";
read LOGHOST_IP
echo ""
cp /etc/hosts /etc/hosts_shadow_nrt
echo "$LOGHOST_IP $LOGHOST" >> /etc/hosts
else
LOGHOST_IP=(`cat /etc/hosts | grep $LOGHOST | awk '{print $1}'`)
fi
LOGHOST_SYSLOG=`(cat /etc/syslog.conf | grep $LOGHOST)`
if [ -z "$LOGHOST_SYSLOG" ]; then
# echo "LOGHOST_SYSLOG is zero length"
echo " Your central log host is not configured in your /etc/syslog.conf file. We will add it now."
echo ""
echo "local2.debug @$LOGHOST" >> /etc/syslog.conf
fi
LOGHOST_SYSLOG_R=`(cat /etc/rc.d/rc.syslog | grep "/usr/sbin/syslogd -r")`
if [ -z "$LOGHOST_SYSLOG_R" ]; then
# echo "LOGHOST_SYSLOG_R is zero length"
echo " Your syslog daemon is not configured to send logs to a remote central log host. We will configure this now."
echo ""
cp /etc/rc.d/rc.syslog /etc/rc.d/rc.syslog_shadow_nrt
echo " A backup of the original config was copied to /etc/rc.d/rc.syslog_shadow_nrt"
echo ""
cat /etc/rc.d/rc.syslog | sed 's/ \/usr\/sbin\/syslogd/ \/usr\/sbin\/syslogd -r/g' > /etc/rc.d/rc.syslog_tmp
mv /etc/rc.d/rc.syslog_tmp /etc/rc.d/rc.syslog
chmod 744 /etc/rc.d/rc.syslog
fi
LOGHOST_SYSLOG_R_INET2=`(cat /etc/rc.d/rc.inet2 | grep "/usr/sbin/syslogd -r")`
if [ -z "$LOGHOST_SYSLOG_R_INET2" ]; then
# echo "LOGHOST_SYSLOG_R_INET2 is zero length"
echo " Your syslog daemon is not configured to send logs to a remote central log host at system startup. We will configure this now."
echo ""
cp /etc/rc.d/rc.inet2 /etc/rc.d/rc.inet2_shadow_nrt
echo " A backup of the original config was copied to /etc/rc.d/rc.inet2_shadow_nrt"
echo ""
cat /etc/rc.d/rc.inet2 | sed 's/ \/usr\/sbin\/syslogd/ \/usr\/sbin\/syslogd -r/' > /etc/rc.d/rc.inet2_tmp
mv /etc/rc.d/rc.inet2_tmp /etc/rc.d/rc.inet2
fi
MYIP=(`cat /etc/rc.d/rc.inet1.conf | grep "IPADDR\[0\]" | awk -F= '{print $2}' | sed 's/"//g'`)
# Which version of FW are we working with?
FW_VERSION1=`(grep "# Version" /etc/rc.d/rc.firewall)`
FW_VERSION=`(echo $FW_VERSION1 | sed 's/[a-zA-Z #]\{1,15\}//')`
echo " Firewall Version in use is $FW_VERSION"
echo -e " Firewall configuration file is \033[7;44m\033[1;33m/etc/rc.d/rc.firewall\033[0m";
echo ""
echo " A backup of the original rc.firewall config was copied to /etc/rc.d/rc.firewall_shadow_nrt"
echo ""
if [ $FW_VERSION == "1.0" ]; then
echo " We have NOT fully tested version 1.0 modifications yet..."
echo " You should manually confirm your firewall config afterwards."
echo ""
cat /etc/rc.d/rc.firewall | sed 's/This sensor.s IP address/# Central log servers address\
\
'$LOGHOST'="'$LOGHOST_IP'"\
\
# This sensors IP address\
MYIP="192.168.30.20"/' > /etc/rc.d/rc.firewall
cp /tmp/test.txt /tmp/mytest.txt
echo "" >> /etc/rc.d/rc.firewall
echo "# OUTPUT Table Rules" >> /etc/rc.d/rc.firewall
echo "# Allow outbound UDP syslog to central log host" >> /etc/rc.d/rc.firewall
echo "iptables -A OUTPUT -s \$MYIP -p udp -destination \$$LOGHOST --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall
echo " Watch out - default FW rules for INPUT, OUTPUT, FORWARD are ACCEPT!"
echo ""
elif [ $FW_VERSION == "1.1" ]; then
cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_bak_$MYDATE
echo " We have NOT fully tested version 1.1 modifications yet..."
echo " You should manually confirm your firewall config afterwards."
echo ""
cat /etc/rc.d/rc.firewall | grep -v "Accept time update" | grep -v "TIMESERVER -p udp" | grep -v "MYDNS -p udp" | grep -v "\--dport 514 -j ACCEPT" | grep -v "DNS traffic, send syslog" > /etc/rc.d/rc.firewall2
sed 's/MYIP=.*/MYIP='$MYIP'/' /etc/rc.d/rc.firewall2 > /etc/rc.d/rc.firewall
echo "" >> /etc/rc.d/rc.firewall
echo "# Accept time update, DNS traffic, send syslog" >> /etc/rc.d/rc.firewall
echo "" >> /etc/rc.d/rc.firewall
echo "iptables -A INPUT -i eth0 -s \$TIMESERVER -p udp --dport 123 -j ACCEPT" >> /etc/rc.d/rc.firewall
echo "iptables -A OUTPUT -p udp -s \$MYIP -d $LOGHOST_IP --dport 514 -j ACCEPT" >> /etc/rc.d/rc.firewall
echo "iptables -A INPUT -i eth0 -s \$MYDNS -p udp --sport 53 -j ACCEPT" >> /etc/rc.d/rc.firewall
else
echo " Firewall version is pre 1.0..."
echo ""
LOGHOST_FW=`(cat /etc/rc.d/rc.firewall | grep $LOGHOST_IP)`
if [ -z "$LOGHOST_FW" ]; then
# echo "LOGHOST_FW is zero length"
echo " Your IPCHAINS Firewall is not configured to allow logs to be forwarded to the central log host. We will configure this now."
echo ""
cp /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall_shadow_nrt
echo " A backup of the original config was copied to /etc/rc.d/rc.firewall_shadow_nrt"
echo ""
cat /etc/rc.d/rc.firewall | sed 's/LOOPBACK="127.0.0.0\/8" # reserved loopback address range/'$LOGHOST'="1.2.3.4\/32" # central log host\
\
LOOPBACK="127.0.0.0\/8" # reserved loopback address range\
/' > /etc/rc.d/rc.firewall_3
cat /etc/rc.d/rc.firewall_3 | sed 's/ # NTP TIME clients (123)/ # SYSLOG (514)\
# ----------------------\
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADDR 514 -d $'$LOGHOST' -j ACCEPT \
\
# ------------------------------------------------------------------\
# NTP TIME clients (123)/' > /etc/rc.d/rc.firewall
rm /etc/rc.d/rc.firewall_3
fi
fi
echo " We are making a backup of the current Shadow PERL scripts in the /usr/local/SHADOW/sensor directory."
echo ""
cp /usr/local/SHADOW/sensor/start_logger.pl /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/start_logger.pl to /usr/local/SHADOW/sensor/start_logger_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/stop_logger.pl /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/stop_logger.pl to /usr/local/SHADOW/sensor/stop_logger_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/sensor_driver.pl /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl
echo " Copied /usr/local/SHADOW/sensor/sensor_driver.pl to /usr/local/SHADOW/sensor/sensor_driver_shadow_nrt.pl"
cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt
echo " Copied /usr/local/SHADOW/sensor/gmt.filter to /usr/local/SHADOW/sensor/gmt.filter_shadow_nrt"
echo ""
echo " Creating our custom Shadow PERL scripts..."
echo ""
SENSOR_SCRIPT_PATH=`(ls -l | grep sensor_scripts.tgz)`
if [ -z "$SENSOR_SCRIPT_PATH" ]; then
echo " We could not find the sensor_scripts.tgz file. We need this. Searching..."
echo ""
SENSOR_SCRIPT_PATH2=`(find / -name sensor_scripts.tgz)`
# echo "SENSOR_SCRIPT_PATH2 is eq $SENSOR_SCRIPT_PATH2"
declare -a array1
array1=( `echo $SENSOR_SCRIPT_PATH2 | tr '\n' ' ' | awk '{print $1}'`)
SENSOR_SCRIPT_PATH2=${array1[0]}
# echo "SENSOR_SCRIPT_PATH2 array is eq $SENSOR_SCRIPT_PATH2"
if [ -z $SENSOR_SCRIPT_PATH2 ]; then
echo " You need to copy the the sensor_scripts.tgz file to your system and restart the installation. We are exiting now..."
exit 1
else
echo -n " Do you want to use this sensor_scripts.tgz file? $SENSOR_SCRIPT_PATH2 (Y/N): ";
read SENSOR_PATH_YES
echo ""
fi
if [ $SENSOR_PATH_YES == "Y" ]; then
tar xvfz $SENSOR_SCRIPT_PATH2 -C /
echo ""
TEST=1
else
echo " You didn't enter a 'Y' - we are exiting..."
exit 1
fi
fi
if [ "$TEST" != 1 ]; then
tar xvfz ./sensor_scripts.tgz -C /
echo ""
fi
#START_LOGGER_S=`(find / -name start_logger_singular.pl)`
#STOP_LOGGER_S=`(find / -name stop_logger_singular.pl)`
#SENSOR_DRIVER_S=`(find / -name sensor_driver_singular.pl)`
#START_LOGGER_P=`(find / -name start_logger_parallel.pl)`
#STOP_LOGGER_P=`(find / -name stop_logger_parallel.pl)`
#SENSOR_DRIVER_P=`(find / -name sensor_driver_parallel.pl)`
#echo "START_LOGGER_S is $START_LOGGER_S"
#echo "STOP_LOGGER_S is $STOP_LOGGER_S"
#echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S"
#echo "START_LOGGER_S is $START_LOGGER_S"
#echo "STOP_LOGGER_S is $STOP_LOGGER_S"
#echo "SENSOR_DRIVER_S is $SENSOR_DRIVER_S"
grep -v "/usr/local/SHADOW/sensor/sensor_driver" /var/spool/cron/crontabs/root > /var/spool/cron/crontabs/crontab_root
cat /dev/null > /tmp/rc.local_tmp
if [ $WHICH_SHADOW_NRT == "S" ]; then
echo " You need to edit your /usr/local/SHADOW/sensor/singular.filter file involked with Shadow Singular"
echo " We've copied your gmt.filter to singular.filter for a base to edit..."
echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created...";
cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/singular.filter
echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver_singular.pl gmt&" >> /var/spool/cron/crontabs/crontab_root
echo " We have modified cron to start Shadow IDS in SINGULAR mode."
echo ""
mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root
#echo "$CHECK is CHECK"
# if [ "$CHECK" == 0 ]; then
# echo "/sbin/ifconfig eth1 up" > /tmp/rc.local_tmp
# fi
cp /etc/rc.d/rc.local /etc/rc.d/rc.local_shadow_nrt_bak
grep -v "start_logger" /etc/rc.d/rc.local >> /tmp/rc.local_tmp
sed 's/rc.firewall/rc.firewall\
\
echo "Starting Shadow Singular..."\
\/usr\/local\/SHADOW\/sensor\/start_logger_singular.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local
chmod u+x /etc/rc.d/rc.local
chmod u+x /etc/rc.d/rc.local
elif [ $WHICH_SHADOW_NRT == "P" ]; then
echo " You need to edit your /usr/local/SHADOW/sensor/parallel.filter file involked with Shadow Parallel"
echo " We've copied your gmt.filter to parallel.filter for a base to edit..."
echo -e " If you don't edit this and \033[7;44m\033[1;33mdrop logging of UDP 514\033[0m traffic you may have an infinite loop created...";
cp /usr/local/SHADOW/sensor/gmt.filter /usr/local/SHADOW/sensor/parallel.filter
echo "0 * * * * /usr/local/SHADOW/sensor/sensor_driver.pl gmt&" >> /var/spool/cron/crontabs/crontab_root
echo " We have modified cron to start Shadow IDS in PARALLEL mode."
echo ""
mv /var/spool/cron/crontabs/crontab_root /var/spool/cron/crontabs/root
grep -v "sensor_driver" /etc/rc.d/rc.local > /etc/rc.d/rc.local_tmp
sed 's/rc.firewall/rc.firewall\
\
echo "Starting Shadow Parallel..."\
\/usr\/local\/SHADOW\/sensor\/start_logger_parallel.pl gmt/g' /etc/rc.d/rc.local_tmp > /etc/rc.d/rc.local
chmod u+x /etc/rc.d/rc.local
else
echo " We are not sure which mode you want to use. The WHICH_SHADOW_NRT variable was not an 'S' or a 'P'. We are exiting."
exit 1
fi
LILO_CONFIG=(`cat /etc/lilo.conf | grep "timeout = 1200" | awk '{print $3}'`)
if [ "$LILO_CONFIG" == 1200 ]; then
echo " Looks like you're /etc/lilo.conf could use some tweaking to improve your"
echo " boot timeout and possibly your video modes. Edit the file manually."
echo ""
fi
echo " Congratulations. Installation is complete. Reboot your sensor for the changes to take affect."
echo " DONE!"
exit 0
|
|
|
||
|
Copyright
© 2000-2010 Whitehats.ca |
||
