--- prelude-correlator-1.0.0.orig/debian/README.Debian +++ prelude-correlator-1.0.0/debian/README.Debian @@ -0,0 +1,20 @@ +Prelude-Correlator specific notes for Debian +============================================ + +Installation +------------ + +After installing the package, you need to register the correlator +to the Prelude Manager. + +The package will create a dedicated user for the correlator (since +it does not require root privileges), so the registration line will +be something like:: + + prelude-admin register prelude-correlator "idmef:rw" --uid prelude-correlator --gid prelude-correlator + +After you have registered the correlator, you can edit /etc/default/prelude-correlator and set:: + + RUN=yes + + --- prelude-correlator-1.0.0.orig/debian/changelog +++ prelude-correlator-1.0.0/debian/changelog @@ -0,0 +1,119 @@ +prelude-correlator (1.0.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Port from python-support to dh-python (Closes: #786006) + * Replace pyversions with X-Python-Version + + -- Ross Gammon Mon, 28 Sep 2015 21:18:41 +0200 + +prelude-correlator (1.0.0-1) unstable; urgency=low + + * Imported Upstream version 1.0.0 + * Fix watch file + * Install sample plugin in /usr/share/doc + + -- Pierre Chifflier Thu, 18 Mar 2010 17:19:40 +0100 + +prelude-correlator (1.0.0~rc4-1) unstable; urgency=low + + * Imported Upstream version 1.0.0rc4 + * Update watch file + * Use --install-layout=deb option to setup.py install + * Install example plugin in /usr/share/doc + + -- Pierre Chifflier Mon, 08 Mar 2010 23:07:50 +0100 + +prelude-correlator (1.0.0~rc2-1) unstable; urgency=low + + * New upstream release + * Bump standards version to 3.8.4 + + -- Pierre Chifflier Thu, 04 Feb 2010 23:10:09 +0100 + +prelude-correlator (0.9.0~beta8-2) unstable; urgency=low + + * Fix paths in setupconfig.py + * Use recursive chown on /var/lib/prelude-correlator to also change + the .dat files + + -- Pierre Chifflier Mon, 23 Nov 2009 16:21:18 +0100 + +prelude-correlator (0.9.0~beta8-1) unstable; urgency=low + + * New upstream release + * Lower setuptools requirement, not useful + + -- Pierre Chifflier Fri, 13 Nov 2009 16:00:18 +0100 + +prelude-correlator (0.9.0~beta7-1) unstable; urgency=low + + * New upstream release: + - New SpamhausDrop plugin + - Python 2.4 backward compatibility fixes + - Handle plugin loading error gracefully + - Improve WormPlugin accuracy + - Dshield CorrelationAlert now handle multiples events + + -- Pierre Chifflier Mon, 02 Nov 2009 19:03:20 +0100 + +prelude-correlator (0.9.0~beta6-2) unstable; urgency=high + + * Add dependency on python-pkg-resources (Closes: #544561) + * Urgency high, serious bug + * Bump standards version to 3.8.3 (no changes) + + -- Pierre Chifflier Thu, 10 Sep 2009 22:13:55 +0200 + +prelude-correlator (0.9.0~beta6-1) unstable; urgency=low + + * New Upstream Version + + -- Pierre Chifflier Sat, 11 Jul 2009 14:29:23 +0200 + +prelude-correlator (0.9.0~beta5-1) unstable; urgency=low + + * New upstream release + - Prelude Correlator has switched to Python, see + http://lists.prelude-ids.org/pipermail/prelude-user/2009-April/005163.html + for the explanation. + - Support DShield correlation + * Switch package to architecture-independant + * Use python-support + * Bump standards version to 3.8.2 (no changes) + + -- Pierre Chifflier Fri, 19 Jun 2009 14:30:51 +0200 + +prelude-correlator (0.9.0~beta3-2) unstable; urgency=high + + * Bump standards version to 3.8.1 (no changes) + * Fix FTBFS (Closes: #527531) + * Urgency high, RC bug + + -- Pierre Chifflier Fri, 08 May 2009 21:47:15 +0200 + +prelude-correlator (0.9.0~beta3-1) unstable; urgency=low + + * New (beta) upstream release + + -- Pierre Chifflier Fri, 11 Jul 2008 15:15:38 +0200 + +prelude-correlator (0.9.0~beta2-3) unstable; urgency=low + + * Add init script + * Create dedicated prelude-correlator user + * Run daemon as non-privileged user prelude-correlator + * Add some notes on what to do after installation + + -- Pierre Chifflier Wed, 09 Jul 2008 17:12:16 +0200 + +prelude-correlator (0.9.0~beta2-2) unstable; urgency=low + + * Add pkg-config to build dependencies (Closes: #490026) + + -- Pierre Chifflier Wed, 09 Jul 2008 13:58:50 +0200 + +prelude-correlator (0.9.0~beta2-1) unstable; urgency=low + + * Initial release (Closes: #488664) + + -- Pierre Chifflier Mon, 07 Jul 2008 10:03:37 +0200 --- prelude-correlator-1.0.0.orig/debian/compat +++ prelude-correlator-1.0.0/debian/compat @@ -0,0 +1 @@ +5 --- prelude-correlator-1.0.0.orig/debian/control +++ prelude-correlator-1.0.0/debian/control @@ -0,0 +1,33 @@ +Source: prelude-correlator +Section: admin +Priority: extra +Maintainer: Pierre Chifflier +Build-Depends: debhelper (>> 5.0.0), + python, + python-setuptools (>= 0.6c8), + dh-python, + python-prelude (>= 0.9.23) +Standards-Version: 3.8.4 +Homepage: http://www.prelude-ids.com/ +X-Python-Version: >= 2.5 + +Package: prelude-correlator +Architecture: all +Depends: ${python:Depends}, ${misc:Depends}, + python-prelude (>= 0.9.23), + python-pkg-resources (>= 0.6c8-4), + adduser +Description: Security Information Management System [ Correlator ] + Prelude is a Universal "Security Information Management" (SIM) system. + Prelude collects, normalizes, sorts, aggregates, correlates and reports all + security-related events independently of the source or event. + . + This package provides the Prelude Correlator, which is a powerful + correlation engine using Python to write correlation rules. + . + The features currently include: + * Rapid identification of important security events, enabling the analyst to + assign task priorities + * Alert correlation originally from heterogeneous sensors deployed on the + whole infrastructure + * Real-time analysis of events received by the Prelude Manager --- prelude-correlator-1.0.0.orig/debian/copyright +++ prelude-correlator-1.0.0/debian/copyright @@ -0,0 +1,31 @@ +This package was debianized by Pierre Chifflier on +Mon, 30 Jun 2008 14:42:58 +0200. + +It was downloaded from http://www.prelude-ids.com/en/development/download/index.html + +Upstream Author: Yoann Vandoorselaere + +Copyright (C) 2007,2008 PreludeIDS Technologies. + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA· + 02110-1301, USA.· + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-2' + +The Debian packaging is (C) 2008, Pierre Chifflier and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. + --- prelude-correlator-1.0.0.orig/debian/dirs +++ prelude-correlator-1.0.0/debian/dirs @@ -0,0 +1,4 @@ +usr/bin +usr/lib/prelude-correlator +usr/share/prelude-correlator +var/lib/prelude-correlator --- prelude-correlator-1.0.0.orig/debian/docs +++ prelude-correlator-1.0.0/debian/docs @@ -0,0 +1,2 @@ +NEWS +README --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.default +++ prelude-correlator-1.0.0/debian/prelude-correlator.default @@ -0,0 +1,6 @@ +DAEMONUSER=prelude-correlator # Users to run the daemons as. + +RUN=no # set to yes to start the server in the init.d script. + # you need to register the "prelude-correlator" profile + # before being able to start the correlator automatically + --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.examples +++ prelude-correlator-1.0.0/debian/prelude-correlator.examples @@ -0,0 +1 @@ +docs/sample-plugin --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.init +++ prelude-correlator-1.0.0/debian/prelude-correlator.init @@ -0,0 +1,296 @@ +#!/bin/sh +# +# init.d script for prelude-correlator with LSB support. +# +# Copyright (c) 2008 Pierre Chifflier +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: prelude-correlator +# Required-Start: $network $local_fs $remote_fs $syslog +# Required-Stop: $remote_fs +# Should-Start: $named +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Correlation engine for Prelude IDS +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/bin/prelude-correlator # Introduce the server's location here +NAME=prelude-correlator # Introduce the short server's name here +DESC=prelude-correlator # Introduce a short description here +LOGDIR=/var/log/prelude-correlator # Log directory to use + +PIDFILE=/var/run/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +# Default options, these can be overriden by the information +# at /etc/default/$NAME +DAEMON_OPTS="-d -P $PIDFILE" # Additional options given to the server + +DIETIME=3 # Time to wait for the server to die, in seconds + # If this value is set too low you might not + # let some servers to die gracefully and + # 'restart' will not work + +#STARTTIME=2 # Time to wait for the server to start, in seconds + # If this value is set each time the server is + # started (on start or restart) the script will + # stall to try to determine if it is running + # If it is not set and the server takes time + # to setup a pid file the log message might + # be a false positive (says it did not start + # when it actually did) + +LOGFILE=$LOGDIR/$NAME.log # Server logfile +#DAEMONUSER=prelude-correlator # Users to run the daemons as. If this value + # is set start-stop-daemon will chuid the server + +# Include defaults if available +if [ -f /etc/default/$NAME ] ; then + . /etc/default/$NAME +fi + +# Use this if you want the user to explicitly set 'RUN' in +# /etc/default/ +if [ "x$RUN" != "xyes" ] ; then + log_failure_msg "$NAME disabled, please adjust the configuration to your needs " + log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." + exit 0 +fi + +# Check that the user exists (if we set a user) +# Does the user exist? +if [ -n "$DAEMONUSER" ] ; then + if getent passwd | grep -q "^$DAEMONUSER:"; then + # Obtain the uid and gid + DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'` + DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'` + else + log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist." + exit 1 + fi +fi + + +set -e + +running_pid() { +# Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + #cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` + ## Is this the expected server + #[ "$cmd" != "$name" ] && return 1 + cat /proc/$pid/cmdline | grep -q -s $name + result=$? + if [ "x$result" != "x0" ]; then return 1; fi + return 0 +} + +running() { +# Check if the process is running looking at /proc +# (works for all users) + + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +start_server() { +# Start the process using the wrapper + if [ -z "$DAEMONUSER" ] ; then + start_daemon -p $PIDFILE $DAEMON $DAEMON_OPTS + errcode=$? + else +# if we are using a daemonuser then change the user id + touch $PIDFILE + chown $DAEMONUSER $PIDFILE + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --chuid $DAEMONUSER \ + --exec $DAEMON -- $DAEMON_OPTS + errcode=$? + fi + # give it 1 second to start + sleep 1 + return $errcode +} + +stop_server() { +# Stop the process using the wrapper + if [ -z "$DAEMONUSER" ] ; then + killproc -p $PIDFILE $DAEMON + errcode=$? + else +# if we are using a daemonuser then look for process that match + start-stop-daemon --stop --quiet --pidfile $PIDFILE \ + --user $DAEMONUSER + errcode=$? + fi + + return $errcode +} + +reload_server() { + [ ! -f "$PIDFILE" ] && return 1 + pid=pidofproc $PIDFILE # This is the daemon's pid + # Send a SIGHUP + kill -1 $pid + return $? +} + +force_stop() { +# Force the process to die killing it manually + [ ! -e "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + sleep "$DIETIME"s + if running ; then + kill -9 $pid + sleep "$DIETIME"s + if running ; then + echo "Cannot kill $NAME (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE +} + + +case "$1" in + start) + log_daemon_msg "Starting $DESC " "$NAME" + # Check if it's running first + if running ; then + log_progress_msg "apparently already running" + log_end_msg 0 + exit 0 + fi + if start_server ; then + # NOTE: Some servers might die some time after they start, + # this code will detect this issue if STARTTIME is set + # to a reasonable value + [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time + if running ; then + # It's ok, the server started and is running + log_end_msg 0 + else + # It is not running after we did start + log_end_msg 1 + fi + else + # Either we could not start it + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + if running ; then + # Only stop the server if we see it running + errcode=0 + stop_server || errcode=$? + log_end_msg $errcode + else + # If it's not running don't do anything + log_progress_msg "apparently not running" + log_end_msg 0 + exit 0 + fi + ;; + force-stop) + # First try to stop gracefully the program + $0 stop + if running; then + # If it's still running try to kill it more forcefully + log_daemon_msg "Stopping (force) $DESC" "$NAME" + errcode=0 + force_stop || errcode=$? + log_end_msg $errcode + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + errcode=0 + stop_server || errcode=$? + # Wait some sensible amount, some server need this + [ -n "$DIETIME" ] && sleep $DIETIME + start_server || errcode=$? + [ -n "$STARTTIME" ] && sleep $STARTTIME + running || errcode=$? + log_end_msg $errcode + ;; + status) + + log_daemon_msg "Checking status of $DESC" "$NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "apparently not running" + log_end_msg 1 + exit 1 + fi + ;; + # Use this if the daemon cannot reload + reload) + log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" + log_warning_msg "cannot re-read the config file (use restart)." + ;; + # And this if it cann + #reload) + # + # If the daemon can reload its config files on the fly + # for example by sending it SIGHUP, do it here. + # + # If the daemon responds to changes in its config file + # directly anyway, make this a do-nothing entry. + # + # log_daemon_msg "Reloading $DESC configuration files" "$NAME" + # if running ; then + # reload_server + # if ! running ; then + # Process died after we tried to reload + # log_progress_msg "died on reload" + # log_end_msg 1 + # exit 1 + # fi + # else + # log_progress_msg "server is not running" + # log_end_msg 1 + # exit 1 + # fi + #;; + + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 + exit 1 + ;; +esac + +exit 0 --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.install +++ prelude-correlator-1.0.0/debian/prelude-correlator.install @@ -0,0 +1,4 @@ +etc/prelude-correlator +usr/bin +usr/lib/python* +var/lib/prelude-correlator --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.postinst +++ prelude-correlator-1.0.0/debian/prelude-correlator.postinst @@ -0,0 +1,21 @@ +#!/bin/sh + +set -e + +DAEMON_USER="prelude-correlator" + +add_sysuser() +{ + if ! getent passwd $DAEMON_USER >/dev/null; then + adduser --system --disabled-login --no-create-home --group $DAEMON_USER 2>&1 > /dev/null + fi +} + +add_sysuser + +chown -R prelude-correlator /var/lib/prelude-correlator + +#DEBHELPER# + +exit 0 + --- prelude-correlator-1.0.0.orig/debian/prelude-correlator.postrm +++ prelude-correlator-1.0.0/debian/prelude-correlator.postrm @@ -0,0 +1,13 @@ +#!/bin/sh -e + +DAEMON_USER="prelude-correlator" + +if [ "$1" = "purge" ] +then + deluser $DAEMON_USER || true +fi + +#DEBHELPER# + +exit 0 + --- prelude-correlator-1.0.0.orig/debian/rules +++ prelude-correlator-1.0.0/debian/rules @@ -0,0 +1,86 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +build: + +build-stamp: config.status + dh_testdir + + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + [ ! -f Makefile ] || $(MAKE) distclean + find $(CURDIR) -name "*.pyc" -delete + rm -rf build + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/prelude-correlator. + python setup.py install --root=$(CURDIR)/debian/tmp --prefix=/usr --install-layout=deb + + # fix python crap + #mv $(CURDIR)/debian/tmp/usr/etc $(CURDIR)/debian/tmp/etc + #mv $(CURDIR)/debian/tmp/usr/var $(CURDIR)/debian/tmp/var + find $(CURDIR)/debian/tmp -name "siteconfig.py" -exec \ + sed -i -e 's|/home/.*/debian/tmp/usr||' {} \; + + dh_install --list-missing --sourcedir=debian/tmp + + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples +# dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime + dh_python2 + dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_makeshlibs + dh_installdeb + #dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- prelude-correlator-1.0.0.orig/debian/watch +++ prelude-correlator-1.0.0/debian/watch @@ -0,0 +1,13 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +#opts=uversionmangle=s/\.?-(beta.*)/~$1/ \ +#opts=uversionmangle=s/\.?-(rc.*)/~$1/ \ +http://www.prelude-technologies.com/en/development/download/index.html \ + /download/releases/prelude-correlator/prelude-correlator-([\d\.]*)\.tar\.gz + --- prelude-correlator-1.0.0.orig/prelude_correlator.egg-info/PKG-INFO +++ prelude-correlator-1.0.0/prelude_correlator.egg-info/PKG-INFO @@ -1,4 +1,4 @@ -Metadata-Version: 1.0 +Metadata-Version: 1.1 Name: prelude-correlator Version: 1.0.0 Summary: Prelude-Correlator perform real time correlation of events received by Prelude --- prelude-correlator-1.0.0.orig/prelude_correlator.egg-info/SOURCES.txt +++ prelude-correlator-1.0.0/prelude_correlator.egg-info/SOURCES.txt @@ -6,6 +6,7 @@ README ez_setup.py prelude-correlator.conf +setup.cfg setup.py PreludeCorrelator/__init__.py PreludeCorrelator/config.py @@ -15,6 +16,7 @@ PreludeCorrelator/main.py PreludeCorrelator/pluginmanager.py PreludeCorrelator/require.py +PreludeCorrelator/siteconfig.py PreludeCorrelator/utils.py PreludeCorrelator/plugins/__init__.py PreludeCorrelator/plugins/bruteforce.py --- prelude-correlator-1.0.0.orig/prelude_correlator.egg-info/entry_points.txt +++ prelude-correlator-1.0.0/prelude_correlator.egg-info/entry_points.txt @@ -1,14 +1,14 @@ [PreludeCorrelator.plugins] -OpenSSHAuthPlugin = PreludeCorrelator.plugins.opensshauth:OpenSSHAuthPlugin -EventSweepPlugin = PreludeCorrelator.plugins.scan:EventSweepPlugin -BusinessHourPlugin = PreludeCorrelator.plugins.businesshour:BusinessHourPlugin -WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin -FirewallPlugin = PreludeCorrelator.plugins.firewall:FirewallPlugin BruteForcePlugin = PreludeCorrelator.plugins.bruteforce:BruteForcePlugin -EventStormPlugin = PreludeCorrelator.plugins.scan:EventStormPlugin -SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin +BusinessHourPlugin = PreludeCorrelator.plugins.businesshour:BusinessHourPlugin DshieldPlugin = PreludeCorrelator.plugins.dshield:DshieldPlugin EventScanPlugin = PreludeCorrelator.plugins.scan:EventScanPlugin +EventStormPlugin = PreludeCorrelator.plugins.scan:EventStormPlugin +EventSweepPlugin = PreludeCorrelator.plugins.scan:EventSweepPlugin +FirewallPlugin = PreludeCorrelator.plugins.firewall:FirewallPlugin +OpenSSHAuthPlugin = PreludeCorrelator.plugins.opensshauth:OpenSSHAuthPlugin +SpamhausDropPlugin = PreludeCorrelator.plugins.spamhausdrop:SpamhausDropPlugin +WormPlugin = PreludeCorrelator.plugins.worm:WormPlugin [console_scripts] prelude-correlator = PreludeCorrelator.main:main