%define version 1.6 Name: shadowids Summary: Shadow Intrusion Detection System Version: %{version} Release: 0 Copyright: Unknown Packager: William Stearns Group: Networking/Utilities Source: http://www.nswc.navy.mil/ISSEC/CID/step.tar.gz #Source1: goober.init #Patch0: goober-2.1-make.patch #Patch1: goober-2.1-config.patch #Prereq: /sbin/chkconfig logrotate #Buildarch: noarch Vendor: Naval Surface Warfare Center URL: http://www.nswc.navy.mil/ISSEC/CID/ BuildRoot: /tmp/shadowids-broot %description SHADOW is an Intrusion Detection system based on PC class hardware running freely available software components. A SHADOW system consists of at least two pieces: a sensor located at a point between an organization's firewall and its Internet connection; and an analyzer located inside the firewall. SHADOW performs traffic analysis; the sensor collects address information from all IP packets that travel between an organization and the Internet; the analyzer examines the collected data and displays user defined "events of interest" on a web page. SHADOW is based on tcpdump and libpcap software packages developed at the Lawrence Berkeley Laboratory to collect packet address information and to filter the collected traffic data according to user defined criteria. Software developed at the Naval Surface Warfare Center Dahlgren Division converts the filtered results into web pages and provides a set of supporting tools for a web server on the analyzer station. An intrusion detection analyst examines the results using any web browser. SHADOW displays traffic patterns based on filters constructed by an analyst to identify traffic other than typical. Stock SHADOW filters display anomalous activities such as Back Orifice probes, Land attacks, or the Ping of Death. Analysts are encouraged to modify and add to the filters as their needs dictate. Knowledgeable analysts are key to successful SHADOW implementations. %changelog * Tue Oct 17 2000 William Stearns - First rpm package from the 1.6 sources. %prep %setup -n goober %setup -q -a 1 %patch0 -p1 -b .make %patch1 -p1 -b .config %build make %install if [ "$RPM_BUILD_ROOT" = "/tmp/goober-broot" ]; then rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT/sbin install -d $RPM_BUILD_ROOT/usr/man/man8 make BINDIR=$RPM_BUILD_ROOT/sbin CONFIG_FILE=$RPM_BUILD_ROOT/etc/goober.conf install cp -p goober.8 $RPM_BUILD_ROOT/usr/man/man8 #cp -p $RPM_SOURCE_DIR/goober.init $RPM_BUILD_ROOT/etc/rc.d/init.d/goober else echo Invalid Build root exit 1 fi %clean if [ "$RPM_BUILD_ROOT" = "/tmp/goober-broot" ]; then rm -rf $RPM_BUILD_ROOT else echo Invalid Build root exit 1 fi %files %defattr(-,root,root) %attr(644,root,root) %config /etc/goober.conf %attr(755,root,root) /etc/rc.d/init.d/goober %attr(755,root,root) /sbin/goober %attr(644,root,root) /usr/man/man8/goober.8 %doc faq/* README ChangeLog QUICKSTART doc/* %doc contrib/url-normalizer.pl contrib/rredir.* contrib/user-agents.pl %attr(750,nobody,nobody) %dir /var/log/goober %attr(750,nobody,nobody) %dir /var/spool/goober %pre if [ "$1" = "1" ]; then #This package is being installed for the first time #pre - $1=1 - first install else #This is an upgrade #pre - $1=2 - upgrade (techically, $1>1) fi %post /sbin/chkconfig --add goober if [ "$1" = "1" ]; then #This package is being installed for the first time if [ -f /etc/rc.d/rc.sysinit ]; then if [ `cat /etc/rc.d/rc.sysinit | grep devfsd | wc -l` -eq 0 ]; then #If no references to devfs yet #Add the following lines just after #!/bin/sh or #!/bin/bash. cat /etc/rc.d/rc.sysinit | sed -e 's@\(#!/bin/.*sh\)@\1\ if [ -c /dev/.devfsd ]; then #devfsdinstall\ if ! ps axf | grep [d]evfsd >/dev/null ; then #devfsdinstall\ #devfs not running yet #devfsdinstall\ /sbin/devfsd /dev #devfsdinstall\ fi #devfsdinstall\ fi #devfsdinstall\ @' >/etc/rc.d/rc.sysinit.tmp cat /etc/rc.d/rc.sysinit.tmp >/etc/rc.d/rc.sysinit rm -f /etc/rc.d/rc.sysinit.tmp fi else echo You don\'t have an /etc/rc.d/rc.sysinit - you will need to add echo 'if [ -c /dev/.devfsd ]; then' echo ' if ! ps axf | grep [d]evfsd >/dev/null ; then' echo ' /sbin/devfsd /dev' echo ' fi' echo 'fi' echo to your initialization scripts, before any filesystem checking is done. fi fi if [ "$1" = "1" ]; then #This package is being installed for the first time #post - $1=1 - first install else #This is an upgrade #post - $1=2 - upgrade (techically, $1>1) fi /usr/bin/at 04:00 <0) fi %postun if [ "$1" = "0" ]; then #Final removal, not upgrade. if [ -f /etc/rc.d/rc.sysinit ]; then if [ `cat /etc/rc.d/rc.sysinit | grep devfsdinstall | wc -l` -gt 0 ]; then cat /etc/rc.d/rc.sysinit | grep -v devfsdinstall >/etc/rc.d/rc.sysinit.tmp cat /etc/rc.d/rc.sysinit.tmp >/etc/rc.d/rc.sysinit rm -f /etc/rc.d/rc.sysinit.tmp fi fi fi if [ $1 = 0 ] ; then /sbin/chkconfig --del squid fi if [ "$1" = "0" ]; then #This is being completely erased, not upgraded #postun - $1=0 - final erasure else #This is an upgrade #postun - $1=1 - upgrade (techically, $1>0) fi #Here are the scripts run at first install, in this order: #pre - 1 - first install #post - 1 - first install #Here are the scripts run during an upgrade, in this order: #pre - 2 - upgrade #post - 2 - upgrade #preun - 1 - upgrade #postun - 1 - upgrade #Here are the scripts run at final erase, in this order: #preun - 0 - final erasure #postun - 0 - final erasure