From e0911dc699344313e930938075f39a4fe3f008c0 Mon Sep 17 00:00:00 2001 From: Daniel Kopeček Date: Aug 25 2008 15:59:24 +0000 Subject: Initial commit --- diff --git a/.cvsignore b/.cvsignore index e69de29..2ed0b9b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +bro-20080804.tgz diff --git a/bro-20080804-configurein.patch b/bro-20080804-configurein.patch new file mode 100644 index 0000000..6bddb1d --- /dev/null +++ b/bro-20080804-configurein.patch @@ -0,0 +1,21 @@ +diff -up bro-20080804/configure.in.orig bro-20080804/configure.in +--- bro-20080804/configure.in.orig 2008-08-08 15:18:40.000000000 +0200 ++++ bro-20080804/configure.in 2008-08-08 15:19:34.000000000 +0200 +@@ -272,7 +272,7 @@ AM_CONDITIONAL(USE_NMALLOC, false) + + dnl Our resolver tests below include an absolute libray location. + dnl This is its default, it may be changed for some OSs. +-bro_absolute_libresolv="/usr/lib/libresolv.a" ++bro_absolute_libresolv="" + + case "$target_os" in + +@@ -319,7 +319,7 @@ linux*) + AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info) + fi + if test "a$build_cpu" = "ax86_64"; then +- bro_absolute_libresolv="/usr/lib64/libresolv.a" ++ bro_absolute_libresolv="" + fi + ;; + diff --git a/bro-20080804-installpolicy.patch b/bro-20080804-installpolicy.patch new file mode 100644 index 0000000..72b0d17 --- /dev/null +++ b/bro-20080804-installpolicy.patch @@ -0,0 +1,43 @@ +diff -up bro-20080804/policy/Makefile.am.orig bro-20080804/policy/Makefile.am +--- bro-20080804/policy/Makefile.am.orig 2008-07-29 22:40:43.000000000 +0200 ++++ bro-20080804/policy/Makefile.am 2008-08-07 21:33:14.000000000 +0200 +@@ -10,7 +10,7 @@ MOSTLYCLEANFILES = \ + smb-rw.bif.bro smtp-rw.bif.bro strings.bif.bro + + # doesn't end in a sig +-bropolicydir=${datadir}/bro ++bropolicydir=$(datadir)/bro + dist_bropolicy_DATA = bro.init adu.bro alarm.bro analy.bro \ + anon.bro arp.bro backdoor.bro bittorrent.bro \ + blaster.bro bt-tracker.bro brolite.bro \ +@@ -59,18 +59,18 @@ dist_bropolicy_DATA = bro.init adu.bro a + + + install-data-hook: +- $(INSTALL_DATA) bro.bif.bro ${bropolicydir} +- $(INSTALL_DATA) common-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) const.bif.bro ${bropolicydir} +- $(INSTALL_DATA) dns-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) event.bif.bro ${bropolicydir} +- $(INSTALL_DATA) finger-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) ftp-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) http-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) ident-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) smb-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) smtp-rw.bif.bro ${bropolicydir} +- $(INSTALL_DATA) strings.bif.bro ${bropolicydir} ++ $(INSTALL_DATA) bro.bif.bro $(DESTDIR)${bropolicydir}/bro.bif.bro ++ $(INSTALL_DATA) common-rw.bif.bro $(DESTDIR)${bropolicydir}/common-rw.bif.bro ++ $(INSTALL_DATA) const.bif.bro $(DESTDIR)${bropolicydir}/const.bif.bro ++ $(INSTALL_DATA) dns-rw.bif.bro $(DESTDIR)${bropolicydir}/dns-rw.bif.bro ++ $(INSTALL_DATA) event.bif.bro $(DESTDIR)${bropolicydir}/event.bif.bro ++ $(INSTALL_DATA) finger-rw.bif.bro $(DESTDIR)${bropolicydir}/finger-rw.bif.bro ++ $(INSTALL_DATA) ftp-rw.bif.bro $(DESTDIR)${bropolicydir}/ftp-rw.bif.bro ++ $(INSTALL_DATA) http-rw.bif.bro $(DESTDIR)${bropolicydir}/http-rw.bif.bro ++ $(INSTALL_DATA) ident-rw.bif.bro $(DESTDIR)${bropolicydir}/ident-rw.bif.bro ++ $(INSTALL_DATA) smb-rw.bif.bro $(DESTDIR)${bropolicydir}/smb-rw.bif.bro ++ $(INSTALL_DATA) smtp-rw.bif.bro $(DESTDIR)${bropolicydir}/smtp-rw.bif.bro ++ $(INSTALL_DATA) strings.bif.bro $(DESTDIR)${bropolicydir}/strings.bif.bro + + uninstall-local: + rm -f ${bropolicydir}/bro.bif.bro diff --git a/bro-20080804.cfg b/bro-20080804.cfg new file mode 100644 index 0000000..9a2b45a --- /dev/null +++ b/bro-20080804.cfg @@ -0,0 +1,149 @@ +# Source file config for running bro + +# host only format +BRO_HOSTNAME=`hostname | awk -F. ' { print } '` +# FQDN format +# HOSTNAME=`hostname` + +# Directory containing Bro binaries +BRO_BIN_DIR="/usr/bin" + +# Filename of the Bro start policy +# START_POLICY="default.bro" +BRO_START_POLICY="localhost.bro" + +# Directory containing Bro logs +BROLOGS="/var/log/bro" +export BROLOGS + +# Log archive directory +BRO_LOG_ARCHIVE="/var/log/bro/archive" + +# Directory containing Bro signature files +BRO_SIG_DIR="/usr/share/bro/sigs" + +# Bro policy paths + +# Location of site specific policy and configurations +BROSITE="/var/lib/bro/site" + +# Location of host specific policy and configurations +BROHOST="/var/lib/bro/host" + +BROPATH="${BROSITE}:${BROHOST}:/usr/share/bro/site:/usr/share/bro" +export BROPATH + +# A prefix to use when looking for local policy files to load. +# BRO_PREFIX="local" + +# Location of the Bro executable +BRO="${BRO_BIN_DIR}/bro" + +# Base command line options. +BRO_ADD_OPTS=" -W" +# Turn on Bro's Watchdog feature +BRO_OPTS="${BRO_ADD_OPTS}" + +# Interface name to listen on. The default is to use the busiest one found. +BRO_CAPTURE_INTERFACE="eth0" +# Multiple interface should be specified as a space delimited list. +# Examples: +# CAPTURE_INTERFACE="sk0 sk1 sk5" +# CAPTURE_INTERFACE="eth0 eth3" +# CAPTURE_INTERFACE="eth0" + +# If set to YES and there are any signature files ending with .bro in $SIG_DIR +# then they will be started with bro. Set to NO to disable signatures +# Set to YES to enable bro to run with 'signature matching' on (YES/NO) +BRO_USE_SIGNATURES=YES + +# Shoud a trace (tcpdump) file be created in the log directory (YES/NO) +BRO_CREATE_TRACE_FILE=NO + +# How long to wait during checkpointing after startin a new Bro process and +# stopping the old one. This value is in seconds +BRO_CHECKPOINT_OVERLAP_TIME=20 + +# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm) +BRO_REPORT_START_TIME=0010 + +# How often (in hours) to generate an activity report +BRO_REPORT_INTERVAL=24 + +# This is the how often to rotate the logs (in hours) +BRO_LOG_ROTATE_INTERVAL=24 + +# This is the how often to restart bro (in hours) +BRO_CHECKPOINT_INTERVAL=24 + +# The maximum time allowed for a Bro process to cleanup and exit +# This value is in seconds +BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours + +# Use this to enable the init script to autorestart Bro in the event of an +# unexpected shutdown. The value should be YES or NO +BRO_ENABLE_AUTORESTART="YES" + +# A value less than 1 means there will be no limit to the number of restarts +# Maximum times to try to auto-restart Bro before giving up. +BRO_MAX_RESTART_ATTEMPTS=-1 + +# Location of the run-time variable directory. This is normally /var/run/bro +# and contains the pidfile and other temporal data. +BRO_RUNTIME_DIR="/var/run/bro" + +# Email address for local reports to be mailed to +BRO_EMAIL_LOCAL="root@localhost" + +# Email address to send from +BRO_EMAIL_FROM="bro@localhost" + +# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc) +BRO_EMAIL_EXTERNAL="NO" + +# Email address for remote reports to be mailed to +BRO_EMAIL_REMOTE="foo@example.bar" + +# User id to install and run Bro under +BRO_USER_ID="bro" + +# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) +BRO_SITE_NAME="" + +# Do you want to encrypt email reports (YES/NO) +BRO_ENCRYPT_EMAIL="NO" + +# Location of GPG binary or encrypting email +BRO_GPG_BIN="/usr/bin/gpg" + +# Default BPF buffer +BRO_BPF_BUFSIZE=4194304 + +# Do BPF bonding +BRO_BPFBOND_ENABLE="NO" +# Interfaces to bond +BRO_BPFBOND_FLAGS="em0 em1" + +# diskspace management settings +# Should I manage diskspace +BRO_DISKSPACE_ENABLE="YES" +# percent full to worry about +BRO_DISKSPACE_PCT=90 +# account watching disk space +BRO_DISKSPACE_WATCHER="root" +# days before deleting old logs +BRO_DAYS_2_DELETION=45 +# days before compressing logs +BRO_DAYS_2_COMPRESSION=20 + +# Bulk data capture settings +# Buld data directory +BRO_BULK_DIR="${BROLOGS}/bulk-trace" +# Capture filter for bulk data +BRO_BULK_CAPTURE_FILTER="" +# days before deleting bulk data +BRO_BULK_DAYS_2_DELETION=4 +# days before compressing bulk data +BRO_BULK_DAYS_2_COMPRESSION=2 +# location of sorted log files, needed by Brooery +BROOERY_LOGS="${BROLOGS}/sorted-logs" diff --git a/bro-20080804.rc b/bro-20080804.rc new file mode 100644 index 0000000..d37d817 --- /dev/null +++ b/bro-20080804.rc @@ -0,0 +1,187 @@ +#!/bin/sh +# +# Bro - Open-source, Unix-based Network Intrusion Detection System +# +# chkconfig: - 57 30 +# description: Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) \ +# that passively monitors network traffic and looks for suspicious activity. +# + +### BEGIN INIT INFO +# Provides: +# Required-Start: +# Required-Stop: +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: +# Short-Description: +# Description: +### END INIT INFO + +# Source function library. +. /etc/rc.d/init.d/functions + +exec="/usr/bin/bro" +prog="bro" +config="/etc/sysconfig/bro" +syslog_cmd="logger" + +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog + +lockfile=/var/lock/subsys/$prog + +fexists () { + [ -f "${1}" ] || exit 1 + exit 0 +} + +dexists () { + [ -d "${1}" ] || exit 1 + exit 0 +} + +start() { + [ -x $exec ] || exit 5 + + [[ -f "${config}" && \ + -w "${BROLOGS}" && \ + -d "${BRO_BIN_DIR}" && \ + -d "${BRO_LOG_ARCHIVE}" && \ + -d "${BRO_SIG_DIR}" && \ + -d "${BROSITE}" && \ + -d "${BROHOST}" && \ + -f "${BRO}" ]] || exit 6 + + local current_date + local trace_file + local cmd_opts + + cmd_opts="${BRO_OPTS}" + current_date="$(date +%y-%m-%d_%H.%M.%S)" + export \ + BRO_LOG_SUFFIX="${BRO_HOSTNAME}.${current_date}" + + trace_file="${BROLOGS}/trace.${BRO_LOG_SUFFIX}" + info_file="${BROLOGS}/info.${BRO_LOG_SUFFIX}" + + if [ "${BRO_CREATE_TRACE_FILE}" = 'YES' -o "${BRO_CREATE_TRACE_FILE}" = 'yes' ]; then + cmd_opts="${cmd_opts} -w \"${trace_file}\"" + fi + + if [ -n "${BRO_CAPTURE_INTERFACE}" ]; then + for _intf in ${BRO_CAPTURE_INTERFACE}; do + cmd_opts="${cmd_opts} -i ${_intf}" + done + fi + + if [ -n "${BRO_START_POLICY}" ]; then + cmd_opts="${cmd_opts} ${BRO_START_POLICY}" + else + echo "${prog}: No start policy file specified." >&2 + fi + + cd "${BROLOGS}" || exit 6 + + echo -n $"Starting $prog: " + + "${exec}" ${cmd_opts} >> "${info_file}" 2>&1 & + + retval=$? + newpid=$! + + if [ "${retval}" = '0' -o -z "${retval}" ]; then + for ((i=1; i < 11; i++)); do + if [ -f "${info_file}" ]; then + if [ -n "$(grep -E '^listening on' "${info_file}")" ]; then + break + fi + fi + + # break now if the process returned a non-zero value + if [ -n "${retval}" -a "${retval}" != '0' ]; then + break + fi + sleep 1 + done + fi + + if [ "${retval}" != '0' ]; then + ${syslog_cmd} -t "${prog}" "Bro has failed to start." + else + ${syslog_cmd} -t "${prog}" "Bro process (${newpid}) has started" + fi + + if [ $retval -eq 0 ]; then + touch $lockfile + success + else + failure + fi + + echo + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc $prog + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + restart +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/bro.spec b/bro.spec new file mode 100644 index 0000000..77e6bdc --- /dev/null +++ b/bro.spec @@ -0,0 +1,117 @@ +%define snapshot 20080804 + +Summary: Open-source, Unix-based Network Intrusion Detection System +Name: bro +Version: 1.4 +Release: 0.1.%{snapshot}svn%{?dist} +License: BSD +Group: Applications/Internet +URL: http://bro-ids.org + +# The source for this package was pulled from upstream's vcs. Use the +# following commands to generate the tarball: +# svn export -r 6043 http://svn.icir.org/bro/trunk/bro bro-%{snapshot} +# tar -czvf bro-%{snapshot}.tgz bro-%{snapshot} + +Source0: bro-%{snapshot}.tgz +Source1: bro-%{snapshot}.cfg +Source2: bro-%{snapshot}.rc +Patch0: bro-%{snapshot}-installpolicy.patch +Patch1: bro-%{snapshot}-configurein.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: libpcap-devel openssl-devel zlib-devel ncurses-devel automake autoconf libtool flex bison file-devel bind-devel + +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts + +%description +Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) +that passively monitors network traffic and looks for suspicious activity. +Bro detects intrusions by first parsing network traffic to extract is +application-level semantics and then executing event-oriented analyzers that +compare the activity with patterns deemed troublesome. Its analysis includes +detection of specific attacks (including those defined by signatures, but also +those defined in terms of events) and unusual activities (e.g., certain hosts +connecting to certain services, or patterns of failed connection attempts). + +%prep +%setup -q -n %{name}-%{snapshot} +%patch0 -p1 -b .installpolicy +%patch1 -p1 -b .configurein + +%build +./autogen.sh +%configure --enable-brov6 --disable-broccoli +%{__make} %{?_smp_mflags} CFLAGS+="-I/usr/include/ncurses" + +%install +rm -rf %{buildroot} +%{__make} DESTDIR="%{buildroot}" install + +# Install config +%{__install} -d -m 755 %{buildroot}%{_sysconfdir}/bro +%{__install} -D -c -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/bro + +# Create runtime dir +%{__install} -d -m 755 %{buildroot}%{_localstatedir}/run/bro + +# Create log dirs +%{__install} -d -m 755 %{buildroot}%{_localstatedir}/log/bro +%{__install} -d -m 755 %{buildroot}%{_localstatedir}/log/bro/archive +%{__install} -d -m 755 %{buildroot}%{_localstatedir}/log/bro/sorted-logs + +# Install scripts +cd scripts/ +%{__install} -d -m 755 %{buildroot}%{_datadir}/bro/scripts +%{__install} -c -m 644 bro.rc-hooks.sh %{buildroot}%{_datadir}/bro/scripts/bro.rc-hooks.sh +%{__install} -D -c -m 755 %{SOURCE2} %{buildroot}%{_initrddir}/bro + +%{__install} -d -m 755 %{buildroot}%{_datadir}/bro/scripts/s2b +%{__install} -c -m 755 snort2bro/snort2bro %{buildroot}%{_datadir}/bro/scripts/s2b/snort2bro +%{__install} -c -m 644 snort2bro/snort2bro.cfg %{buildroot}%{_datadir}/bro/scripts/s2b/snort2bro.cfg +cd .. + +# Install bifs +#%{__install} -d -m 755 %{buildroot}%{_datadir}/bro/bif +#cd src/ +#for bif in $(ls *.bif.bro); do +# %{__install} -c -m 644 ${bif} %{buildroot}%{_datadir}/bro/bif/${bif} +#done +#cd .. + +# Install example signatures, site policy +%{__install} -D -d -m 755 %{buildroot}%{_localstatedir}/lib/bro/site +%{__install} -D -d -m 755 %{buildroot}%{_localstatedir}/lib/bro/host +%{__install} -c -m 644 scripts/s2b/example_bro_files/signatures.sig %{buildroot}%{_localstatedir}/lib/bro/site/signatures.sig +%{__install} -c -m 644 scripts/local.lite.bro %{buildroot}%{_localstatedir}/lib/bro/site/localhost.bro + +rm -rf src/libedit + +%clean +rm -rf %{buildroot} + +%post +/sbin/chkconfig --add bro + +%preun +if [ $1 = 0 ] ; then + /sbin/service bro stop >/dev/null 2>&1 + /sbin/chkconfig --del bro +fi + +%files +%defattr(-,root,root,-) +%doc README COPYING doc/user-manual/Bro-user-manual.pdf doc/ref-manual/Bro-Ref-Manual.pdf doc/quick-start/Bro-quick-start.pdf doc/pubs/*.ps doc/misc/* +%config(noreplace) %{_sysconfdir}/sysconfig/bro +%{_initrddir}/bro +%{_bindir}/bro +%{_datadir}/bro +%{_localstatedir}/run/bro +%{_localstatedir}/log/bro +%{_localstatedir}/lib/bro + +%changelog +* Wed May 7 2008 Daniel Kopecek - 1.4-0.1.20080804svn +- Initial build. diff --git a/import.log b/import.log new file mode 100644 index 0000000..a889814 --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +bro-1_4-0_1_20080804svn_fc9:HEAD:bro-1.4-0.1.20080804svn.fc9.src.rpm:1219686542 diff --git a/sources b/sources index e69de29..d994644 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +e93683240231069f32b960a3f7e5905c bro-20080804.tgz