/* $Id: README,v 1.15 2000/11/22 02:28:19 keiji Exp $ */

pakemon (Packet Monster) ver. 0.3.0

1 OVERVIEW

 Pakemon has been developped to share IDS components based on the open source development model.  The current version of pakemon monitors all traffic on a network, reconstruct ip packets and tcp segment, search given data patterns(regular expression) in the traffic and issue alerts if necessary, log to a file or send a message to syslog.

 This software is for experimental.  Please use this at your own risk.  There are still many things to improve.  If you have any suggestion, question, idea or comments please feel free to contact the author, keiji@sfc.keio.ac.jp or to the mailing list pakemon-devel@inas.mag.keio.ac.jp.

 Pakemon ver.0.3.0 and later requrires following libraries.

 - libpcap(ver. 0.5.2 or later):
             packet capture library 
             from tcpdump group originally by Van Jacobson, Craig Leres and Steven McCannne(Lawrence Berkeley National Laboratory)
             libpcap-0.5.2(http://www.tcpdump.org/) 
             libpcap-0.4(original ftp://ftp.ee.lbl.gov/libpcap.tar.Z)

 - libnet(1.0.1b or later): 
            packet construction library
            by Mike D. Schiffman
            http://www.packetfactory.net/Projects/Libnet/

 - libnids(ver. 1.1.6 or later):
             NIDS E-component(Linux 2.0.x IP stack emulator)
             by Rafal Wojtczuk	
             http://www.packetfactory.net/Projects/Libnids/

2 INSTALLATION

  If you haven't install libpcap, libnet,  and libnids you have to obtain all of them first.  If you already have all of them what you have to install is only the pakemon.

  Following files can be obtained from the pakemon's site.

  libpcap http://www.tcpdump.org/
  libnet  http://www.packetfactory.net/Projects/Libnet
  libnids http://www.packetfactory.net/Projects/Libnids
  pakemon http://www.inas.mag.keio.ac.jp/ids/pakemon/

  all files can be installed as follow. 

  % tar xvfz [downloaded file name]
  % cd [created directory]
  % ./configure
  % make
  % su     (become root)
  # make install

  *for libpcap includefile(required) and man(optional)

  # mkdir /usr/local/include
  # mkdir /usr/local/include/net
  # make install-incl
  # make install-man

  *for libnet supplement and utility(both optional)

  # make supp
  # make util

 Pakemon executable will be installed as /usr/local/bin/pakemon.
 Signature database (signature.txt) is installed in /usr/local/share.

3 TO RUN
 To run this program you must be a root since the program utilize a raw socket with promiscus mode.

 % su
 # pakemon
(You must have /usr/local/bin in execute path.)

4 OPTIONS(as of ver.0.3.0)

   -c <signature> :Use signature(configuration) file <signature>
   -i <if>        :set network interface <if>
   -u <user id>   :Use <user id> for the process insted of root
   -v             :Dump all trafic in text format on sandard output
   -q             :Quiet Mode (Doesn't display alert message on screen.)
   -s             :Use syslog to record alerts
   -l <alert_log> :Specify <alert_log>
   -n             :Log none of payload
   -t             :Use only text format for packet_log
   -d <dump_log>  :Specify <dump_log>
   -h             :Show this message.

5 TO CUSTOMIZE SIGNATURES TO BE DETECTED
 Edit /usr/local/share/pakemon/signature.txt file

 Format:

 signature_name protocol source_port dest_port data_pattern

 cf.) 
	CGI-phf(CVE-1999-0067) tcp * 80 '/cgi-bin/phf'

  lines start with # is processed as comments.

  signature_name : text format (do not include spaces)
  protocol : tcp, udp or icmp
  port_number : for tcp and udp (use * for wildcard)
  signature : text(default)  
              "" case sensitive
              '' case insensitive
              <> regular expression(this is still beata test)
              |sexadecimal binary| (between '|' and '|')
              or use \x00 \xFF format

              Escape sequences are
              \a, \b, \f, \n, \r, \t, \v, \\, \?, \', \", \x \>

 You can find signatures from other contributers such as ...

  Whitehats   http://whitehats.com/ids/vision-pakemon.conf

6 OUTPUT

  As default, following files are generated to record detections.

  Alert messages    /var/log/pakemon_alert.log

  Dump messages     /var/log/pakemon_dump.log
