debian/0000775000000000000000000000000012257206032007167 5ustar debian/README.Debian0000664000000000000000000000101711767555211011242 0ustar Prelude-LML specific changes for Debian ======================================= Profile ------- A Prelude profile must be created for prelude-lml. To create it, run (as root):: prelude-admin register "prelude-lml" "idmef:w" --uid 0 --gid 0 Log files location ------------------ Log files locations have been adapted to Debian (and, more generally, FHS). Default logs include: - /var/log/syslog - /var/log/auth.log - /var/log/apache2/acces.log To change this, edit /etc/prelude-lml/prelude-lml.conf debian/dirs0000664000000000000000000000001011662506353010052 0ustar usr/bin debian/source/0000775000000000000000000000000011767555205010505 5ustar debian/source/format0000664000000000000000000000001411767555205011713 0ustar 3.0 (quilt) debian/copyright0000664000000000000000000000460011662506353011132 0ustar This package was debianized by Thomas Seyrat on Sat, 6 Apr 2002 10:51:28 +0200. The current Debian Maintainer is Mickael Profeta It was downloaded from Upstream Author: Yoann Vandoorselaere Copyright (C) 2001,2002 Yoann Vandoorselaere The README file specifies : This library is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed. Please see http://www.openssl.org/support/faq.html#LEGAL2 for more informations. This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. The files in libmissing/ are distributed under the GNU Lesser General Public License This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU Lesser General Public License, can be found in /usr/share/common-licenses/LGPL. The Debian packaging is (C) 2006, Mickael Profeta is licensed under the GPL, see above. debian/postrm0000664000000000000000000000201111662506353010440 0ustar #! /bin/sh # postrm script for prelude-lml # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in purge) rm -f /etc/prelude-lml/ruleset/*.rules rm -f /var/lib/prelude-lml/* ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/changelog0000664000000000000000000001460112257206031011042 0ustar prelude-lml (1.0.0-5build1) trusty; urgency=medium * No change rebuild against libicu52 -- Dimitri John Ledkov Fri, 27 Dec 2013 05:11:53 +0000 prelude-lml (1.0.0-5) unstable; urgency=low * Bump Standards Version to 3.9.4 * Refreshed quilt patches * Fix FTBFS with eglibc 2.17 (Closes: #701411) -- Pierre Chifflier Tue, 02 Jul 2013 15:19:08 +0200 prelude-lml (1.0.0-4) unstable; urgency=high * Disable tests to avoid build failure on on kFreeBSD (Closes: #677852) * Urgency high, RC bug -- Pierre Chifflier Mon, 18 Jun 2012 21:30:19 +0200 prelude-lml (1.0.0-3) unstable; urgency=high * Trigger rebuild (Closes: #676028) * Bump Standards Version to 3.9.3 * Switch to dpkg-source 3.0 (quilt) format * Switch to DH version 9 - Enable hardening options - Enable multi-arch * Urgency high, RC bugs -- Pierre Chifflier Sat, 16 Jun 2012 13:38:01 +0200 prelude-lml (1.0.0-2) unstable; urgency=low * Fix FTBFS with undefined symbol lt__PROGRAM__LTX_preloaded_symbols (Closes: #622046) * Bump Standards Version to 3.9.2 * Ensure init script messages have newlines (Closes: #574595) * Exit init script gracefuly if profile does not exist (Closes: #616178) -- Pierre Chifflier Mon, 02 May 2011 13:55:25 +0200 prelude-lml (1.0.0-1) unstable; urgency=low * Imported Upstream version 1.0.0 -- Pierre Chifflier Thu, 18 Mar 2010 09:45:21 +0100 prelude-lml (1.0.0~rc2-1) unstable; urgency=low * New upstream release -- Pierre Chifflier Tue, 09 Feb 2010 13:30:03 +0100 prelude-lml (1.0.0~rc1-1) unstable; urgency=low * New upstream release * Bump standards version to 3.8.4 * Update description * Recommend rsyslog | system-log-daemon -- Pierre Chifflier Wed, 03 Feb 2010 11:45:37 +0100 prelude-lml (0.9.15-1) unstable; urgency=low * New Upstream Version * Bump standards version to 3.8.2 * Set debconf compat level to 5 -- Pierre Chifflier Fri, 17 Jul 2009 11:23:11 +0200 prelude-lml (0.9.14-2) unstable; urgency=low * Upload to unstable -- Pierre Chifflier Thu, 26 Feb 2009 22:59:35 +0100 prelude-lml (0.9.14-1) experimental; urgency=low * New upstream release -- Pierre Chifflier Sun, 19 Oct 2008 22:44:21 +0200 prelude-lml (0.9.13-1) experimental; urgency=low * New upstream release -- Pierre Chifflier Mon, 25 Aug 2008 16:15:29 +0200 prelude-lml (0.9.12.2-2) unstable; urgency=low * Update watch file * Bump standards version (no changes) -- Pierre Chifflier Tue, 01 Jul 2008 11:51:33 +0200 prelude-lml (0.9.12.2-1) unstable; urgency=low * New upstream release (fix installation directory of rules) -- Pierre Chifflier Thu, 24 Apr 2008 21:20:56 +0200 prelude-lml (0.9.12.1-1) unstable; urgency=low * New upstream release -- Pierre Chifflier Wed, 23 Apr 2008 19:17:28 +0200 prelude-lml (0.9.11-1) unstable; urgency=low * New upstream release * drop disable_cron, merged upstream -- Pierre Chifflier Mon, 17 Dec 2007 19:09:21 +0100 prelude-lml (0.9.10.1-3) unstable; urgency=low * Remove remaining rules and var files on purge (Closes: #355737, #455030) * Bump standard version (no changes) -- Pierre Chifflier Sun, 16 Dec 2007 16:52:31 +0100 prelude-lml (0.9.10.1-2) unstable; urgency=low * Add quilt patches: + debian_log_paths: set correct path for debian logs (auth.log, apache) + disable_cron: disable cron alerts by default (see README.Debian) -- Pierre Chifflier Mon, 15 Oct 2007 17:46:01 +0200 prelude-lml (0.9.10.1-1) unstable; urgency=low * New upstream release * Update my email address -- Pierre Chifflier Wed, 08 Aug 2007 22:05:39 +0200 prelude-lml (0.9.10-1) unstable; urgency=low * New upstream release -- Pierre Chifflier Sun, 20 May 2007 16:07:12 +0200 prelude-lml (0.9.9-1) unstable; urgency=low * New upstream release * Update my email address * Add watch file * Add compat file -- Pierre Chifflier Wed, 02 May 2007 14:13:54 +0200 prelude-lml (0.9.8.1-1) unstable; urgency=low * New upstream release * Add myself to Uploaders -- Pierre Chifflier Mon, 29 Jan 2007 22:52:19 +0100 prelude-lml (0.9.7-1) unstable; urgency=low * New upstream release -- Mickael Profeta Fri, 27 Oct 2006 10:38:47 +0200 prelude-lml (0.9.4-1) unstable; urgency=low * New upstream release * Modify copyright to include LGPL for libmissing directory -- Mickael Profeta Wed, 26 Apr 2006 13:49:31 +0200 prelude-lml (0.9.2-1) unstable; urgency=low * New upstream release -- Mickael Profeta Sat, 4 Feb 2006 17:15:22 +0100 prelude-lml (0.9.0-2) unstable; urgency=low * update dependencies (closes: #343512) -- Mickael Profeta Thu, 15 Dec 2005 22:57:56 +0100 prelude-lml (0.9.0-1) unstable; urgency=low * New upstream release * new config.guess/config.sub (closes: #333649) -- Mickael Profeta Wed, 5 Oct 2005 13:26:41 +0000 prelude-lml (0.8.6-4) unstable; urgency=low * added libssl-dev in build-depend -- Mickael Profeta Wed, 12 Nov 2003 16:15:54 +0100 prelude-lml (0.8.6-3) unstable; urgency=low * change == operator to -eq in init file -- Mickael Profeta Wed, 12 Nov 2003 11:46:15 +0100 prelude-lml (0.8.6-2) unstable; urgency=low * Change the maintainer in control file -- Mickael Profeta Tue, 4 Nov 2003 15:06:40 +0100 prelude-lml (0.8.6-1) unstable; urgency=low * New upstream release * Add in copyright exception to GPL in order to link with OpenSSL -- Mickael Profeta Tue, 4 Nov 2003 10:19:57 +0100 prelude-lml (0.8.3-1) unstable; urgency=low * New upstream release -- Mickael Profeta Sun, 12 Oct 2003 22:08:03 +0200 prelude-lml (0.8.2-1) unstable; urgency=low * New upstream release -- PROFETA Mickael Sun, 5 Jan 2003 21:17:38 +0100 prelude-lml (0.8.1-1) unstable; urgency=low * Initial Release. -- Thomas Seyrat Sat, 6 Apr 2002 19:37:00 +0200 debian/control0000664000000000000000000000267012257206032010577 0ustar Source: prelude-lml Section: admin Priority: extra Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Pierre Chifflier Uploaders: Mickael Profeta Build-Depends: debhelper (>= 9), libev-dev, libprelude-dev (>> 0.9.7), libpcre3-dev, libgnutls-dev (>= 1.2.9), libicu-dev, quilt Standards-Version: 3.9.4 Package: prelude-lml Architecture: any Pre-Depends: multiarch-support Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: rsyslog | system-log-daemon Description: Security Information Management System [ Log Agent ] Prelude is a Universal "Security Information Management" (SIM) system. Its goals are performance and modularity. It is divided in two main parts : - the Prelude sensors, responsible for generating alerts, such as snort sensor, featuring a signature engine, plugins for protocol analysis, and intrusion detection plugins, and the Prelude log monitoring lackey. - the Prelude report server, collecting data from Prelude sensors, and generating user-readable reports. . Prelude-LML is a signature based log analyzer monitoring logfile and received syslog messages for suspicious activity. It handle events generated by a large set of components, including but not limited to: Apache, BigIP, Grsecurity, Honeyd, ipchains, Netfilter, ipfw, Nagios, NTsyslog, NuFW, PAM, Portsentry, Postfix, Proftpd, ssh, etc. debian/rules0000775000000000000000000000051711774774107010272 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 export DH_VERBOSE = 1 %: dh ${@} override_dh_auto_configure: dh_auto_configure -- --enable-gtk-doc=no override_dh_auto_install: dh_auto_install -X.la; \ find debian/prelude-lml/usr/lib -name '*.la' -delete override_dh_auto_test: # tests disabled to avoid failure on kFreeBSD (#677852) debian/prelude-lml.init0000664000000000000000000000342011767555211012310 0ustar #!/bin/sh -e ### BEGIN INIT INFO # Provides: prelude-lml # Required-Start: $syslog $remote_fs # Required-Stop: $syslog $remote_fs # Should-Start: $local_fs # Should-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start prelude-lml sensor ### END INIT INFO test $DEBIAN_SCRIPT_DEBUG && set -v -x NAME=prelude-lml PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/bin/prelude-lml PIDFILE=/var/run/$NAME.pid DAEMONARGS="-d -q -P /var/run/$NAME.pid" trap "" 1 export LANG=C export PATH test -f $DAEMON || exit 0 check_prelude_profile() { if [ ! -d "/etc/prelude/profile/$NAME" ]; then echo "Prelude profile for $NAME was not found" echo "You must create it with prelude-admin (see README.Debian)" echo "NOT starting." # do not return with an error, this would prevent package installation exit 0 fi } case "$1" in start) echo -n "Starting Prelude LML: " check_prelude_profile start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON --oknodo \ --quiet -- $DAEMONARGS > /dev/null echo "$NAME." ;; stop) echo -n "Stopping Prelude LML: " start-stop-daemon --stop --pidfile $PIDFILE --exec $DAEMON --quiet \ --oknodo > /dev/null echo "$NAME." ;; restart|force-restart|reload|force-reload) echo -n "Restarting Prelude LML: " check_prelude_profile start-stop-daemon --stop --pidfile $PIDFILE --exec $DAEMON --quiet \ --oknodo > /dev/null start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON --oknodo \ --quiet -- $DAEMONARGS > /dev/null echo "$NAME." ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac if [ $? -eq 0 ]; then echo . exit 0 else echo failed exit 1 fi debian/watch0000664000000000000000000000046111662506353010231 0ustar # debian watch file # You can run the "uscan" command # to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 http://www.prelude-ids.com/en/development/download/index.html \ /download/releases/prelude-lml/prelude-lml-([\d\.]*)\.tar\.gz debian/patches/0000775000000000000000000000000012164551062010621 5ustar debian/patches/disable_cron0000664000000000000000000000127211662506404013174 0ustar Index: prelude-lml-0.9.10.1/plugins/pcre/ruleset/pcre.rules =================================================================== --- prelude-lml-0.9.10.1.orig/plugins/pcre/ruleset/pcre.rules 2007-10-15 18:13:50.000000000 +0200 +++ prelude-lml-0.9.10.1/plugins/pcre/ruleset/pcre.rules 2007-10-15 18:14:24.000000000 +0200 @@ -93,6 +93,7 @@ # This next regex isn't specific enough for my liking, but there doesn't seem # to be a better solution based on the log samples regex=[a-z\d]+:; include = openhostapd.rules; +regex=CRON; include = cron.rules; regex=[Pp][Aa][Mm]_; include = pam.rules; regex=pcanywhere; include = pcanywhere.rules; regex=portsentry; include = portsentry.rules; debian/patches/fix_ftbfs.patch0000664000000000000000000000131012164551062013607 0ustar Index: prelude-lml/libmissing/stdio.in.h =================================================================== --- prelude-lml.orig/libmissing/stdio.in.h 2011-11-21 18:39:56.000000000 +0100 +++ prelude-lml/libmissing/stdio.in.h 2013-07-02 15:14:20.228030838 +0200 @@ -113,11 +113,13 @@ "use gnulib module fflush for portable POSIX compliance"); #endif +#if 0 /* It is very rare that the developer ever has full control of stdin, so any use of gets warrants an unconditional warning. Assume it is always declared, since it is required by C89. */ #undef gets _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); +#endif #if @GNULIB_FOPEN@ # if @REPLACE_FOPEN@ debian/patches/debian_log_paths0000664000000000000000000000254212164551003014024 0ustar Index: prelude-lml/prelude-lml.conf.in =================================================================== --- prelude-lml.orig/prelude-lml.conf.in 2013-07-02 15:13:38.384032847 +0200 +++ prelude-lml/prelude-lml.conf.in 2013-07-02 15:13:38.380032847 +0200 @@ -93,16 +93,17 @@ time-format = "%b %d %H:%M:%S" prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" file = /var/log/messages +file = /var/log/auth.log # udp-server = 0.0.0.0 # # Sample configuration for metalog: # -[format=metalog] -prefix-regex = "^(?P.{15}) \[(?P\S+)\] " -time-format = "%b %d %H:%M:%S" -file = /var/log/everything/current +#[format=metalog] +#prefix-regex = "^(?P.{15}) \[(?P\S+)\] " +#time-format = "%b %d %H:%M:%S" +#file = /var/log/everything/current # udp-server = 0.0.0.0 @@ -112,14 +113,12 @@ [format=apache] time-format = "%d/%b/%Y:%H:%M:%S" prefix-regex = "(?P\S+) \S+ \S+ \[(?P.{20}) [+-].{4}\] " -file = /var/log/httpd/access_log -file = /var/log/apache2/access_log +file = /var/log/apache2/access.log [format=apache-error] time-format = "%a %b %d %H:%M:%S %Y" prefix-regex = "^\[(?P.{24})\] \S+ (\[client (?P\S+)\] )?" -file = /var/log/httpd/error_log -file = /var/log/apache2/error_log +file = /var/log/apache2/error.log debian/patches/series0000664000000000000000000000005412164547637012052 0ustar debian_log_paths ftbfs_ltdl fix_ftbfs.patch debian/patches/ftbfs_ltdl0000664000000000000000000000063011767555211012676 0ustar Index: prelude-lml/src/prelude-lml.c =================================================================== --- prelude-lml.orig/src/prelude-lml.c 2011-05-02 13:17:51.000000000 +0200 +++ prelude-lml/src/prelude-lml.c 2011-05-02 13:20:20.000000000 +0200 @@ -36,6 +36,8 @@ #include #include +#include + #if TIME_WITH_SYS_TIME # include # include debian/docs0000664000000000000000000000004311662506353010047 0ustar README AUTHORS HACKING.README NEWS debian/compat0000664000000000000000000000000211767555205010403 0ustar 9