January 5, 1999 - Version 1.5
Several major modifications of the SHADOW package:
- The primary SHADOW html page now generates a separate toolbar window
instead of a separate frame. Each of the tools opens a separate window.
To use it, click on "Tool Window." A small vertical window appears with
selectors for site and date. A box lists the hour of the day. Six blue
buttons appear at the bottom labelled: Directory, Search, Scan, NS Lookup,
Whois, and Report. After selecting the date and site, clicking on an hour
number fills the main screen with the SHADOW tcpdump output for that hour.
Clicking on other hours takes you directly to that hour of the day,
(assuming the data has been collected).
The buttons perform the following:
Directory: Fills the data screen with the dynamically created directory
view of the tcpdump_results subdirectory of your http tree.
This was used in the previous version of SHADOW.
Search: Pops up a small search window that presents a form for
searching a day's tcpdump records for specific patterns. This
can be CPU and IO intensive since it searches the whole day's
records by gunzipping the raw data and piping it through
tcpdump with the form supplied pattern.
Scan: Not functional at the moment. We are attempting to get a good
handle on the SCAN problem, i.e. when a single external
machine attempts some sort of contact with multiple internal
machines.
NS Lookup: Pops up a small screen that performs a DNS lookup through
a fill-in form.
Whois: Pops up a small screen that performs a WHOIS to query the
Internic about the officially registered information about
a domain or IP address.
Report: Pops up a screen to generate a SHADOW Incident Report. The
screen contains a fill-in form for assembling a report
to a CIRT (Computer Incident Response Team) about a
potential incident, compromise, attack, etc. that has been
detected by your analyst examing SHADOW records. The form
is generated by the /cgi-bin/compose_IR.cgi Perl script, and
will most likely need modifications for your particular
circumstances. It prepares an ASCII text letter and sends it
to a set of addresses specified on the form.
2. A script strip.pl is included to strip comments from tcpdump filter files.
In the logger/filters/Site1 directory are several files with .doc as their suffix. Documenting the filter files with comments in the /bin/sh fashion, enhances human understanding. Unfortunately, tcpdump doesn't handle comments. This script reads a documented filter file and strips everything to the right of the # character out of the file. strip.pl reads stdin and writes to stdout.
3. The cgi-bin scripts have been significantly modified to support the separate
toolbar window and the functionality provided by the push buttons. In addition, necessary changes were made to the primary scripts to support the tool windows and fix bugs as found.
4. The documented filters in the Site1 filter directory add explanations for
each filter to clarify their purposes.
5. I no longer include (or use) the msntp package for synchronizing time
between machines. For some reason, the msntp hung awaiting terminal input at times, thus defeating its utility in a cron script. Using rdate to a time source that accepts it is satisfactory. Just keeping the sensors and analyzers synchronized within a few seconds is not worth a full blown ntp installation.