From ceb90dda6ed16f2640fb7f54a66633d9463e5529 Mon Sep 17 00:00:00 2001
From: Boris V <david.cla2@gmail.com>
Date: Mon, 30 Jan 2017 19:06:04 +0700
Subject: network/psad: Added (Intrusion Detection and Log Analysis).

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 network/psad/README          |  27 ++++++++++
 network/psad/doinst.sh       |  35 ++++++++++++
 network/psad/psad.SlackBuild | 126 +++++++++++++++++++++++++++++++++++++++++++
 network/psad/psad.info       |  10 ++++
 network/psad/slack-desc      |  19 +++++++
 5 files changed, 217 insertions(+)
 create mode 100644 network/psad/README
 create mode 100644 network/psad/doinst.sh
 create mode 100644 network/psad/psad.SlackBuild
 create mode 100644 network/psad/psad.info
 create mode 100644 network/psad/slack-desc

(limited to 'network/psad')

diff --git a/network/psad/README b/network/psad/README
new file mode 100644
index 0000000000..524336af61
--- /dev/null
+++ b/network/psad/README
@@ -0,0 +1,27 @@
+psad (Intrusion Detection and Log Analysis with iptables)
+
+psad is a collection of three lightweight system daemons (two main
+daemons and one helper daemon) that run on Linux machines and analyze
+iptables log messages to detect port scans and other suspicious traffic.
+A typical deployment is to run psad on the iptables firewall where it has
+the fastest access to log data.
+
+You can set email for alerts by setting ALERTSEMAIL:
+
+ALERTSEMAIL=alerts@example.com ./psad.SlackBuild
+
+You need at least these rules:
+
+iptables -A INPUT -j LOG
+iptables -A FORWARD -j LOG
+
+but more usefull will be something like this:
+
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+iptables -A INPUT -j LOG
+iptables -A INPUT -j DROP
+
+please see documentation for more information.
diff --git a/network/psad/doinst.sh b/network/psad/doinst.sh
new file mode 100644
index 0000000000..740c9470bc
--- /dev/null
+++ b/network/psad/doinst.sh
@@ -0,0 +1,35 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+    # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  if [ -e $OLD ]; then
+    cp -a $OLD ${NEW}.incoming
+    cat $NEW > ${NEW}.incoming
+    mv ${NEW}.incoming $NEW
+  fi
+  config $NEW
+}
+
+preserve_perms etc/rc.d/rc.psad.new
+config etc/psad/auto_dl.new
+config etc/psad/icmp6_types.new
+config etc/psad/icmp_types.new
+config etc/psad/ip_options.new
+config etc/psad/pf.os.new
+config etc/psad/posf.new
+config etc/psad/protocols.new
+config etc/psad/psad.conf.new
+config etc/psad/signatures.new
+config etc/psad/snort_rule_dl.new
diff --git a/network/psad/psad.SlackBuild b/network/psad/psad.SlackBuild
new file mode 100644
index 0000000000..d60dcdf5a7
--- /dev/null
+++ b/network/psad/psad.SlackBuild
@@ -0,0 +1,126 @@
+#!/bin/sh
+
+# Slackware build script for psad
+
+# Copyright 2017 Boris V. <david.cla2@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+PRGNAM=psad
+VERSION=${VERSION:-2.4.3}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+ALERTSEMAIL=${ALERTSEMAIL:-root@localhost}
+
+SRCNAM="$(printf $PRGNAM | cut -d- -f2-)"
+
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) ARCH=i586 ;;
+    arm*) ARCH=arm ;;
+       *) ARCH=$( uname -m ) ;;
+  esac
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $SRCNAM-$VERSION
+tar xvf $CWD/$SRCNAM-$VERSION.tar.bz2
+mkdir -p $PKG/etc/rc.d
+mkdir -p $PKG/usr/bin
+cd $SRCNAM-$VERSION
+chown -R root:root .
+cat > install.answers <<EOF
+Would you like alerts sent to a different address:        y;
+Email addresses:        $ALERTSEMAIL;
+Would you like psad to only parse specific strings in iptables messages:        n;
+FW search strings:        psad;
+First is it ok to leave the HOME_NET setting as any:        y;
+Would you like to enable DShield alerts:        n;
+Would you like to install the latest signatures from http www cipherdyne org psad signatures:        n;
+Enable psad at boot time:        n;
+EOF
+find -L . \
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+  -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
+  -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+mkdir -p $PKG/var/log
+mkdir -p $PKG/var/lib
+mkdir -p $PKG/var/run
+
+sed -i 's/ENABLE_PSADWATCHD           N;/ENABLE_PSADWATCHD           Y;/g' psad.conf
+sed -i "s|usr/share/man|usr/man|g" install.pl
+
+perl install.pl \
+  --install-root $PKG \
+  --init-dir $PKG/etc/rc.d \
+  --init-name rc.psad.new \
+  --no-rm-lib-dir \
+  --no-syslog-test \
+  -U \
+  -a $TMP/$SRCNAM-$VERSION/install.answers
+
+
+SRCPATH=${PKG//\//\\\/}
+SRCPATH2="$SRCPATH\/"
+DSTPATH="\/"
+
+echo $SRCPATH
+echo $SRCPATH2
+find $PKG/ -type f -name '*.conf' -exec sed -i "s/$SRCPATH/$DSTPATH/g" {} +
+find $PKG/ -type f -regex '.*\.\(pod\|conf\|packlist\)' -exec sed -i "s/$SRCPATH2/$DSTPATH/g" {} +
+
+mkdir -p $PKG/etc/logrotate.d
+cp logrotate.psad $PKG/etc/logrotate.d/
+
+mv $PKG/etc/psad/auto_dl $PKG/etc/psad/auto_dl.new
+mv $PKG/etc/psad/icmp6_types $PKG/etc/psad/icmp6_types.new
+mv $PKG/etc/psad/icmp_types $PKG/etc/psad/icmp_types.new
+mv $PKG/etc/psad/ip_options $PKG/etc/psad/ip_options.new
+mv $PKG/etc/psad/pf.os $PKG/etc/psad/pf.os.new
+mv $PKG/etc/psad/posf $PKG/etc/psad/posf.new
+mv $PKG/etc/psad/protocols $PKG/etc/psad/protocols.new
+mv $PKG/etc/psad/psad.conf $PKG/etc/psad/psad.conf.new
+mv $PKG/etc/psad/signatures $PKG/etc/psad/signatures.new
+mv $PKG/etc/psad/snort_rule_dl $PKG/etc/psad/snort_rule_dl.new
+
+sed -i 's/start)/start)\n    mkdir -p \/var\/run\/psad/g' $PKG/etc/rc.d/rc.psad.new
+sed -i 's/\/var\/log\/messages;/\/var\/log\/syslog;/g' $PKG/etc/psad/psad.conf.new
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a BENCHMARK CREDITS ChangeLog FW_EXAMPLE_RULES FW_HELP LICENSE README* \
+  $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/network/psad/psad.info b/network/psad/psad.info
new file mode 100644
index 0000000000..f9f1912075
--- /dev/null
+++ b/network/psad/psad.info
@@ -0,0 +1,10 @@
+PRGNAM="psad"
+VERSION="2.4.3"
+HOMEPAGE="http://www.cipherdyne.org/psad/"
+DOWNLOAD="http://www.cipherdyne.org/psad/download/psad-2.4.3.tar.bz2"
+MD5SUM="a0e51465ec662b4725a7018a9d2cda61"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES=""
+MAINTAINER="Boris V."
+EMAIL="david.cla2@gmail.com"
diff --git a/network/psad/slack-desc b/network/psad/slack-desc
new file mode 100644
index 0000000000..ce95b9bb64
--- /dev/null
+++ b/network/psad/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+    |-----handy-ruler------------------------------------------------------|
+psad: psad (Intrusion Detection and Log Analysis with iptables)
+psad:
+psad: psad is a collection of three lightweight system daemons (two main
+psad: daemons and one helper daemon) that run on Linux machines and analyze
+psad: iptables log messages to detect port scans and other suspicious
+psad: traffic.
+psad: A typical deployment is to run psad on the iptables firewall where
+pas: it has the fastest access to log data.
+psad:
+psad: Homepage: http://www.cipherdyne.org/psad/
+psad:
-- 
cgit v1.2.3