Mon Jul 21 12:16:46 2008 UTC ()
Prelude-Correlator serves to correlate, in real time, the multiple
events received by Prelude. Several isolated alerts, generated from
different probes, can thus trigger a single correlation alert should the
events be related. This correlation alert then appears within the
Prewikka interface and indicates the potential target information via
the set of correlation rules.
Status:
Vendor Tag: TNF
Release Tags: pkgsrc-base
(shannonjr)
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/Makefile
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/PLIST
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/distinfo
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/DESCR
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/patches/patch-ab
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/patches/patch-aa
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/patches/patch-ac
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/files/preludecorrelator.sh
diff -r0 -r1.1.1.1 pkgsrc/security/prelude-correlator/files/run-prelude-correlator.c
# $NetBSD: Makefile,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
#
DISTNAME= prelude-correlator-0.9.0-beta3
PKGNAME= prelude-correlator-${DISTNAME:S/-beta/beta/:C/.*-//}
CATEGORIES= security
MASTER_SITES= http://www.prelude-ids.com/download/releases/prelude-correlator/
MAINTAINER= shannonjr@NetBSD.org
HOMEPAGE= http://www.prelude-ids.com/download/releases/prelude-correlator/
COMMENT= Intrusion event correlation engine
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
USE_TOOLS+= make
USE_TOOLS+= pkg-config
BUILD_DEFS+= VARBASE
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q}
CONFIGURE_ARGS+= --with-libpreludedb-prefix=${BUILDLINK_PREFIX.libpreludedb}
RCD_SCRIPTS= preludecorrelator
PRELUDE_CORRELATOR_PID_DIR= ${VARBASE}/run/prelude-correlator
PRELUDE_USER?= _prelude
PRELUDE_GROUP?= _prelude
PRELUDE_HOME?= ${VARBASE}/prelude-correlator
INSTALLATION_DIRS= sbin
PKG_GROUPS_VARS+= PRELUDE_GROUP
PKG_USERS_VARS+= PRELUDE_USER
PKG_GROUPS= ${PRELUDE_GROUP}
PKG_USERS= ${PRELUDE_USER}:${PRELUDE_GROUP}
PKG_GECOS.${PRELUDE_USER}= Prelude IDS correlator
PKG_HOME.${PRELUDE_USER}= ${PRELUDE_HOME}
FILES_SUBST+= PRELUDE_CORRELATOR_PID_DIR=${PRELUDE_CORRELATOR_PID_DIR:Q}
FILES_SUBST+= PRELUDE_USER=${PRELUDE_USER:Q}
FILES_SUBST+= PRELUDE_GROUP=${PRELUDE_USER:Q}
EGDIR= share/examples/prelude-correlator/
REQD_DIRS= ${EGDIR}
REQD_DIRS+= ${EGDIR}/lua-rules
CONF_FILES_PERMS+= ${EGDIR}/prelude-correlator.conf ${PKG_SYSCONFDIR}/prelude-correlator/prelude-correlator.conf \
${ROOT_USER} ${ROOT_GROUP} 0644
SUBST_CLASSES+= code
SUBST_STAGE.code= post-patch
SUBST_FILES.code= run-prelude-correlator.c
SUBST_SED.code= -e 's,@PREFIX@,${PREFIX},g'
SUBST_SED.code+= -e 's,@PRELUDE_USER@,${PRELUDE_USER},g'
SUBST_CLASSES+= make
SUBST_STAGE.make= post-patch
SUBST_FILES.make= Makefile.in
SUBST_SED.make= -e 's,@EGDIR@,${EGDIR},g'
pre-patch:
${CP} ${FILESDIR}/run-prelude-correlator.c ${WRKSRC}
post-build:
cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${CC} ${CFLAGS} -o run-prelude-correlator run-prelude-correlator.c
post-install:
${INSTALL_PROGRAM} ${WRKSRC}/run-prelude-correlator ${PREFIX}/sbin/run-prelude-correlator
${CHOWN} -R ${PRELUDE_USER}:${PRELUDE_GROUP} ${PRELUDE_HOME}
.include "../../security/libprelude/buildlink3.mk"
.include "../../lang/lua/buildlink3.mk"
.include "../../devel/pcre/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
@comment $NetBSD: PLIST,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
bin/prelude-correlator
sbin/run-prelude-correlator
include/prelude-correlator/prelude-correlator.h
lib/prelude-correlator/lua.la
share/examples/prelude-correlator/prelude-correlator.conf
share/examples/rc.d/preludecorrelator
share/examples/prelude-correlator/lua-rules/brute-force.lua
share/examples/prelude-correlator/lua-rules/business-hour.lua
share/examples/prelude-correlator/lua-rules/firewall.lua
share/examples/prelude-correlator/lua-rules/scan.lua
share/examples/prelude-correlator/lua-rules/worm.lua
share/prelude-correlator/lua/lib.lua
@dirrm share/prelude-correlator/lua
@dirrm share/examples/prelude-correlator
@dirrm lib/prelude-correlator
@dirrm include/prelude-correlator
$NetBSD: distinfo,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
SHA1 (prelude-correlator-0.9.0-beta3.tar.gz) = fbceb04a42f267bf841bbf1ae501dc01c8ca2544
RMD160 (prelude-correlator-0.9.0-beta3.tar.gz) = 18a9a566410ac90f957b68a4ee034a2ff94b8a3e
Size (prelude-correlator-0.9.0-beta3.tar.gz) = 397813 bytes
SHA1 (patch-aa) = aa4cbb04d5898c91578a36c279b8ca7b216ab695
SHA1 (patch-ab) = 37d78dfd38965e6d7027a85ae0493f2071398713
SHA1 (patch-ac) = 755852732c57563792f2ef9ae693a75045d962e7
Prelude-Correlator serves to correlate, in real time, the multiple
events received by Prelude. Several isolated alerts, generated
from different sensors, can thus trigger a single correlation
alert should the events be related. This correlation alert then
appears within the Prewikka interface and indicates the potential
target information via the set of correlation rules.
Signature creation with Prelude-Correlator is based on the powerful
programming language Lua.
$NetBSD: patch-ab,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
--- Makefile.in.orig 2008-06-27 11:54:12.000000000 -0600
+++ Makefile.in
@@ -733,17 +733,7 @@ uninstall-info: uninstall-info-recursive
install-data-local:
$(INSTALL) -m 700 -d $(DESTDIR)$(PRELUDE_CORRELATOR_CONTEXT_DIR)
- @if test -f $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR)/prelude-correlator.conf; then \
- echo "********************************************************************************"; \
- echo; \
- echo "$(DESTDIR)$(configdir)/prelude-correlator.conf already exist..."; \
- echo "Installing default configuration in $(DESTDIR)$(configdir)/prelude-correlator.conf-dist"; \
- echo; \
- echo "********************************************************************************"; \
- $(INSTALL) -m 600 $(top_srcdir)/prelude-correlator.conf $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR)/prelude-correlator.conf-dist; \
- else \
- $(INSTALL) -m 600 $(top_srcdir)/prelude-correlator.conf $(DESTDIR)$(PRELUDE_CORRELATOR_CONFDIR); \
- fi
+ $(BSD_INSTALL_DATA) $(top_srcdir)/prelude-correlator.conf $(PREFIX)/@EGDIR@
uninstall-local:
rm -f $(DESTDIR)$(configdir)/prelude-correlator.conf;
$NetBSD: patch-aa,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
--- configure.orig 2008-06-29 05:41:00.000000000 -0600
+++ configure
@@ -25519,7 +25519,7 @@ fi
PRELUDE_CORRELATOR_CONF=$SYSCONFDIR/prelude-correlator/prelude-correlator.conf
-PRELUDE_CORRELATOR_CONTEXT_DIR=$LOCALSTATEDIR/lib/prelude-correlator
+PRELUDE_CORRELATOR_CONTEXT_DIR=$LOCALSTATEDIR/prelude-correlator
PRELUDE_CORRELATOR_CONFDIR=$SYSCONFDIR/prelude-correlator
$NetBSD: patch-ac,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
--- ./plugins/lua/ruleset/Makefile.in.orig 2008-07-11 06:41:49.000000000 -0600
+++ ./plugins/lua/ruleset/Makefile.in
@@ -321,12 +321,11 @@ distclean-libtool:
uninstall-info-am:
install-rulesetDATA: $(ruleset_DATA)
@$(NORMAL_INSTALL)
- test -z "$(rulesetdir)" || $(mkdir_p) "$(DESTDIR)$(rulesetdir)"
@list='$(ruleset_DATA)'; for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
f=$(am__strip_dir) \
- echo " $(rulesetDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(rulesetdir)/$$f'"; \
- $(rulesetDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(rulesetdir)/$$f"; \
+ echo " $(rulesetDATA_INSTALL) '$$d$$p' '$(PREFIX)/share/examples/prelude-correlator/lua-rules/$$f'"; \
+ $(rulesetDATA_INSTALL) "$$d$$p" "$(PREFIX)/share/examples/prelude-correlator/lua-rules/$$f"; \
done
uninstall-rulesetDATA:
#!/bin/sh
#
# $NetBSD: preludecorrelator.sh,v 1.1.1.1 2008/07/21 12:16:46 shannonjr Exp $
#
# PROVIDE: preludecorrelator
# REQUIRE: LOGIN
$_rc_subr_loaded . /etc/rc.subr
name="preludecorrelator"
procname="@PREFIX@/bin/prelude-correlator"
rcvar=${name}
required_files="@PKG_SYSCONFDIR@/prelude-correlator/prelude-correlator.conf"
start_precmd="correlator_precommand"
start_cmd="@PREFIX@/sbin/run-prelude-correlator --pidfile @PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid --daemon"
pidfile="@PRELUDE_CORRELATOR_PID_DIR@/prelude-correlator.pid"
correlator_precommand()
{
/bin/mkdir -p @PRELUDE_CORRELATOR_PID_DIR@
/usr/sbin/chown @PRELUDE_USER@:@PRELUDE_GROUP@ @PRELUDE_CORRELATOR_PID_DIR@
}
load_rc_config $name
run_rc_command "$1"
#define PRELUDE_CORRELATOR_USER "@PRELUDE_USER@"
#define PRELUDE_CORRELATOR_PATH "@PREFIX@/bin/prelude-correlator"
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <pwd.h>
#include <syslog.h>
#define MAX_ARGS 40
#ifndef TRUE
#define TRUE 1
#endif /* TRUE */
#ifndef FALSE
#define FALSE 0
#endif /* FALSE */
void error_sys(char *str)
{
/* Output error message to syslog */
char msg[1024];
snprintf(msg, sizeof(msg), "run-prelude-correlator : %s : %s", str, strerror(errno));
syslog(LOG_ALERT, msg);
}
int obtainUIDandGID(const char *name, uid_t *pw_uid, gid_t *pw_gid)
{
/* Obtain UID and GID from passwd entry identified by name */
struct passwd *pw_entry;
char msg[100];
if ((pw_entry = getpwnam(name)) == NULL)
{
snprintf(msg, sizeof(msg), "failed to get password entry for %s", name);
error_sys(msg);
return FALSE;
}
else
{
*pw_uid = pw_entry->pw_uid;
*pw_gid = pw_entry->pw_gid;
return TRUE;
}
}
int main (int argc, char **argv )
{
pid_t pid;
uid_t UID;
gid_t GID;
pid_t pidwait;
int waitstat;
int s;
int max_fd;
/* Sanity check */
if (argc > MAX_ARGS)
{
error_sys("arg buffer too small");
exit(-1);
}
if (geteuid() != 0)
{
error_sys("must be called by root");
exit(-1);
}
/* fork child that will become prelude-correlator */
if ((pid = fork()) < 0)
error_sys("fork error");
else
{
if (pid == 0)
{
/* We're the child */
char *args[MAX_ARGS];
unsigned int i;
/* Become session leader */
setsid();
/* Change working directory to root directory.
The current working directory could be a mounted
filesystem; if the daemon stays on a mounted
filesystem it could prevent the filesystem from
being umounted. */
chdir("/");
/* Clear out file creation mask */
umask(0);
/* Close unneeded file descriptors */
max_fd = (int) sysconf(_SC_OPEN_MAX);
if (max_fd == -1)
max_fd = getdtablesize();
for (s = 3; s < max_fd; s++)
(void) close(s);
if (!obtainUIDandGID(PRELUDE_CORRELATOR_USER, &UID, &GID))
exit(-1);
/* Drop privileges immediately */
if (setgid(GID) < 0)
{
/* It is VERY important to check return
value and not continue if setgid fails
*/
error_sys ("setgid failed");
exit (-1);
}
if (setuid(UID) < 0)
{
/* It is VERY important to check return
value and not continue if setuid fails
*/
error_sys ("setuid failed");
exit (-1);
}
/* Build calling argv */
args[0] = PRELUDE_CORRELATOR_PATH;
for (i=1;i<argc;i++)
{
args[i] = argv[i];
}
args[i++] = NULL;
/* Finally transform self into prelude-correlator */
if (execvp(PRELUDE_CORRELATOR_PATH, args) < 0)
error_sys("execve error");
else
; /* avoid if-then ambiguity */
}
else
{
/* We're the parent
Terminate
*/
exit(0);
}
}
}