--- prelude-lml-0.9.12.2.orig/.pc/.version +++ prelude-lml-0.9.12.2/.pc/.version @@ -0,0 +1 @@ +2 --- prelude-lml-0.9.12.2.orig/debian/dirs +++ prelude-lml-0.9.12.2/debian/dirs @@ -0,0 +1 @@ +usr/bin --- prelude-lml-0.9.12.2.orig/debian/docs +++ prelude-lml-0.9.12.2/debian/docs @@ -0,0 +1,4 @@ +README +AUTHORS +HACKING.README +NEWS --- prelude-lml-0.9.12.2.orig/debian/control +++ prelude-lml-0.9.12.2/debian/control @@ -0,0 +1,28 @@ +Source: prelude-lml +Section: admin +Priority: extra +Maintainer: Mickael Profeta +Uploaders: Pierre Chifflier +Build-Depends: debhelper (>> 3.0.0), + libprelude-dev (>> 0.9.7), + libpcre3-dev, + libgnutls-dev (>= 1.2.9), + quilt +Standards-Version: 3.8.0 + +Package: prelude-lml +Architecture: any +Depends: ${shlibs:Depends} +Description: Hybrid Intrusion Detection System [ Log Monitoring Lackey ] + Prelude is a general-purpose hybrid intrusion detection system. + Its goals are performance and modularity. It is divided in several + parts : + - The Prelude NIDS sensor, responsible for real time packet capture + and analysis, featuring a signature engine, plugins for protocol + analysis, and intrusion detection plugins. + - The Prelude report server, collecting data from Prelude sensors, + and generating user-readable reports. + . + This package provides the Prelude Log Monitoring Lackey, which tries to + match configured patterns against your logfiles and to emit alert when + one of the pattern is matched. --- prelude-lml-0.9.12.2.orig/debian/rules +++ prelude-lml-0.9.12.2/debian/rules @@ -0,0 +1,67 @@ +#!/usr/bin/make -f +#export DH_VERBOSE=1 + +configure: configure-stamp +configure-stamp: + dh_testdir + + QUILT_PATCHES=debian/patches quilt push -a || test $$? = 2 + +# ./autogen.sh + ./configure --prefix=/usr --mandir=\$${prefix}/share/man --sysconfdir=/etc --enable-gtk-doc=no --localstatedir=/var + touch configure-stamp + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + [ ! -f Makefile ] || $(MAKE) distclean + + QUILT_PATCHES=debian/patches quilt pop -a -R || test $$? = 2 + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + $(MAKE) install DESTDIR=$(CURDIR)/debian/prelude-lml + + #for rule_file in $(CURDIR)/debian/debian-lml-rules/*.rules; do \ + # install -m 644 $$rule_file $(CURDIR)/debian/prelude-lml/etc/prelude-lml/ruleset/ ; \ + #done + + touch install-stamp + + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installinit +# dh_installman +# dh_undocumented prelude-lml.1 + dh_installchangelogs ChangeLog + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_makeshlibs + dh_installdeb +# dh_perl + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- prelude-lml-0.9.12.2.orig/debian/watch +++ prelude-lml-0.9.12.2/debian/watch @@ -0,0 +1,10 @@ +# debian watch file +# You can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +http://www.prelude-ids.com/en/development/download/index.html \ + /download/releases/prelude-lml/prelude-lml-([\d\.]*)\.tar\.gz --- prelude-lml-0.9.12.2.orig/debian/changelog +++ prelude-lml-0.9.12.2/debian/changelog @@ -0,0 +1,145 @@ +prelude-lml (0.9.12.2-2) unstable; urgency=low + + * Update watch file + * Bump standards version (no changes) + + -- Pierre Chifflier Tue, 01 Jul 2008 11:51:33 +0200 + +prelude-lml (0.9.12.2-1) unstable; urgency=low + + * New upstream release (fix installation directory of rules) + + -- Pierre Chifflier Thu, 24 Apr 2008 21:20:56 +0200 + +prelude-lml (0.9.12.1-1) unstable; urgency=low + + * New upstream release + + -- Pierre Chifflier Wed, 23 Apr 2008 19:17:28 +0200 + +prelude-lml (0.9.11-1) unstable; urgency=low + + * New upstream release + * drop disable_cron, merged upstream + + -- Pierre Chifflier Mon, 17 Dec 2007 19:09:21 +0100 + +prelude-lml (0.9.10.1-3) unstable; urgency=low + + * Remove remaining rules and var files on purge (Closes: #355737, #455030) + * Bump standard version (no changes) + + -- Pierre Chifflier Sun, 16 Dec 2007 16:52:31 +0100 + +prelude-lml (0.9.10.1-2) unstable; urgency=low + + * Add quilt patches: + + debian_log_paths: set correct path for debian logs (auth.log, apache) + + disable_cron: disable cron alerts by default (see README.Debian) + + -- Pierre Chifflier Mon, 15 Oct 2007 17:46:01 +0200 + +prelude-lml (0.9.10.1-1) unstable; urgency=low + + * New upstream release + * Update my email address + + -- Pierre Chifflier Wed, 08 Aug 2007 22:05:39 +0200 + +prelude-lml (0.9.10-1) unstable; urgency=low + + * New upstream release + + -- Pierre Chifflier Sun, 20 May 2007 16:07:12 +0200 + +prelude-lml (0.9.9-1) unstable; urgency=low + + * New upstream release + * Update my email address + * Add watch file + * Add compat file + + -- Pierre Chifflier Wed, 02 May 2007 14:13:54 +0200 + +prelude-lml (0.9.8.1-1) unstable; urgency=low + + * New upstream release + * Add myself to Uploaders + + -- Pierre Chifflier Mon, 29 Jan 2007 22:52:19 +0100 + +prelude-lml (0.9.7-1) unstable; urgency=low + + * New upstream release + + -- Mickael Profeta Fri, 27 Oct 2006 10:38:47 +0200 + +prelude-lml (0.9.4-1) unstable; urgency=low + + * New upstream release + * Modify copyright to include LGPL for libmissing directory + + -- Mickael Profeta Wed, 26 Apr 2006 13:49:31 +0200 + +prelude-lml (0.9.2-1) unstable; urgency=low + + * New upstream release + + -- Mickael Profeta Sat, 4 Feb 2006 17:15:22 +0100 + +prelude-lml (0.9.0-2) unstable; urgency=low + + * update dependencies (closes: #343512) + + -- Mickael Profeta Thu, 15 Dec 2005 22:57:56 +0100 + +prelude-lml (0.9.0-1) unstable; urgency=low + + * New upstream release + * new config.guess/config.sub (closes: #333649) + + -- Mickael Profeta Wed, 5 Oct 2005 13:26:41 +0000 + +prelude-lml (0.8.6-4) unstable; urgency=low + + * added libssl-dev in build-depend + + -- Mickael Profeta Wed, 12 Nov 2003 16:15:54 +0100 + +prelude-lml (0.8.6-3) unstable; urgency=low + + * change == operator to -eq in init file + + -- Mickael Profeta Wed, 12 Nov 2003 11:46:15 +0100 + +prelude-lml (0.8.6-2) unstable; urgency=low + + * Change the maintainer in control file + + -- Mickael Profeta Tue, 4 Nov 2003 15:06:40 +0100 + +prelude-lml (0.8.6-1) unstable; urgency=low + + * New upstream release + * Add in copyright exception to GPL in order to link with OpenSSL + + -- Mickael Profeta Tue, 4 Nov 2003 10:19:57 +0100 + +prelude-lml (0.8.3-1) unstable; urgency=low + + * New upstream release + + -- Mickael Profeta Sun, 12 Oct 2003 22:08:03 +0200 + +prelude-lml (0.8.2-1) unstable; urgency=low + + * New upstream release + + -- PROFETA Mickael Sun, 5 Jan 2003 21:17:38 +0100 + +prelude-lml (0.8.1-1) unstable; urgency=low + + * Initial Release. + + -- Thomas Seyrat Sat, 6 Apr 2002 19:37:00 +0200 + --- prelude-lml-0.9.12.2.orig/debian/compat +++ prelude-lml-0.9.12.2/debian/compat @@ -0,0 +1 @@ +4 --- prelude-lml-0.9.12.2.orig/debian/README.Debian +++ prelude-lml-0.9.12.2/debian/README.Debian @@ -0,0 +1,14 @@ +Prelude-LML specific changes for Debian +======================================= + +Log files location +------------------ + +Log files locations have been adapted to Debian (and, more generally, FHS). +Default logs include: + - /var/log/syslog + - /var/log/auth.log + - /var/log/apache2/acces.log + +To change this, edit /etc/prelude-lml/prelude-lml.conf + --- prelude-lml-0.9.12.2.orig/debian/postrm +++ prelude-lml-0.9.12.2/debian/postrm @@ -0,0 +1,44 @@ +#! /bin/sh +# postrm script for prelude-lml +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + + purge) + rm -f /etc/prelude-lml/ruleset/*.rules + rm -f /var/lib/prelude-lml/* + + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; + +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- prelude-lml-0.9.12.2.orig/debian/prelude-lml.init +++ prelude-lml-0.9.12.2/debian/prelude-lml.init @@ -0,0 +1,62 @@ +#!/bin/sh -e +### BEGIN INIT INFO +# Provides: prelude-lml +# Required-Start: $syslog +# Required-Stop: $syslog +# Should-Start: $local_fs +# Should-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start prelude-lml sensor +### END INIT INFO + + + +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +NAME=prelude-lml +PATH=/bin:/usr/bin:/sbin:/usr/sbin +DAEMON=/usr/bin/prelude-lml +PIDFILE=/var/run/$NAME.pid +DAEMONARGS="-d -q -P /var/run/$NAME.pid" + +trap "" 1 +export LANG=C +export PATH + +test -f $DAEMON || exit 0 + +case "$1" in + start) + echo -n "Starting Prelude LML: $NAME" + start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON --oknodo \ + --quiet -- $DAEMONARGS > /dev/null + ;; + + stop) + echo -n "Stopping Prelude LML: $NAME" + start-stop-daemon --stop --pidfile $PIDFILE --exec $DAEMON --quiet \ + --oknodo > /dev/null + ;; + + restart|force-restart|reload|force-reload) + echo -n "Restarting Prelude LML: $NAME" + start-stop-daemon --stop --pidfile $PIDFILE --exec $DAEMON --quiet \ + --oknodo > /dev/null + start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON --oknodo \ + --quiet -- $DAEMONARGS > /dev/null + ;; + + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +if [ $? -eq 0 ]; then + echo . + exit 0 +else + echo failed + exit 1 +fi --- prelude-lml-0.9.12.2.orig/debian/copyright +++ prelude-lml-0.9.12.2/debian/copyright @@ -0,0 +1,58 @@ +This package was debianized by Thomas Seyrat on +Sat, 6 Apr 2002 10:51:28 +0200. + +The current Debian Maintainer is Mickael Profeta + +It was downloaded from + +Upstream Author: Yoann Vandoorselaere + +Copyright (C) 2001,2002 Yoann Vandoorselaere + +The README file specifies : + +This library is released under the GPL with the additional exemption +that compiling, linking, and/or using OpenSSL is allowed. + +Please see http://www.openssl.org/support/faq.html#LEGAL2 for more +informations. + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + 02110-1301, USA. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +The files in libmissing/ are distributed under the GNU Lesser General +Public License + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU Lesser General Public +License, can be found in /usr/share/common-licenses/LGPL. + +The Debian packaging is (C) 2006, Mickael Profeta +is licensed under the GPL, see above. --- prelude-lml-0.9.12.2.orig/debian/patches/debian_log_paths +++ prelude-lml-0.9.12.2/debian/patches/debian_log_paths @@ -0,0 +1,40 @@ +Index: prelude-lml-0.9.11/prelude-lml.conf.in +=================================================================== +--- prelude-lml-0.9.11.orig/prelude-lml.conf.in 2007-12-14 15:19:01.000000000 +0100 ++++ prelude-lml-0.9.11/prelude-lml.conf.in 2007-12-17 19:13:16.000000000 +0100 +@@ -56,17 +56,18 @@ + time-format = "%b %d %H:%M:%S" + prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" + file = /var/log/messages ++file = /var/log/auth.log + # udp-server = 0.0.0.0 + + +-# +-# Sample configuration for metalog: +-# +-[format=metalog] +-prefix-regex = "^(?P.{15}) \[(?P\S+)\] " +-time-format = "%b %d %H:%M:%S" +-file = /var/log/everything/current +-# udp-server = 0.0.0.0 ++## ++## Sample configuration for metalog: ++## ++#[format=metalog] ++#prefix-regex = "^(?P.{15}) \[(?P\S+)\] " ++#time-format = "%b %d %H:%M:%S" ++#file = /var/log/everything/current ++## udp-server = 0.0.0.0 + + + # +@@ -75,7 +76,7 @@ + [format=apache] + time-format = "%d/%b/%Y:%H:%M:%S" + prefix-regex = "(?P\S+) \S+ \S+ \[(?P.{20}) [+-].{4}\] " +-file = /var/log/apache2/access_log ++file = /var/log/apache2/access.log + + # + # Sample configuration for asterisk: --- prelude-lml-0.9.12.2.orig/debian/patches/series +++ prelude-lml-0.9.12.2/debian/patches/series @@ -0,0 +1 @@ +debian_log_paths --- prelude-lml-0.9.12.2.orig/debian/patches/disable_cron +++ prelude-lml-0.9.12.2/debian/patches/disable_cron @@ -0,0 +1,12 @@ +Index: prelude-lml-0.9.10.1/plugins/pcre/ruleset/pcre.rules +=================================================================== +--- prelude-lml-0.9.10.1.orig/plugins/pcre/ruleset/pcre.rules 2007-10-15 18:13:50.000000000 +0200 ++++ prelude-lml-0.9.10.1/plugins/pcre/ruleset/pcre.rules 2007-10-15 18:14:24.000000000 +0200 +@@ -93,6 +93,7 @@ + # This next regex isn't specific enough for my liking, but there doesn't seem + # to be a better solution based on the log samples + regex=[a-z\d]+:; include = openhostapd.rules; ++regex=CRON; include = cron.rules; + regex=[Pp][Aa][Mm]_; include = pam.rules; + regex=pcanywhere; include = pcanywhere.rules; + regex=portsentry; include = portsentry.rules;