/* $Id: README-j,v 1.8 2000/11/22 02:28:19 keiji Exp $ */

pakemon (Packet Monster) ver. 0.3.0

1 

pakemonϡץ󥽡ȯǥ˴ŤͭǽIDSݡͥȤȯ뤳ȤᤶƤޤ
ߤΥСpakemon(ѥ)³줿ͥåȥήȥեåƻ뤷IPѥåȤTCPȤκƹԤǤդΥǡ(ɽ)ޤѥåȤ򸡽Ф륻åΥȥޥ꡼Ϥޤ
Ѥǡ򥷥ͥʥѥˤȤϿ뤳Ȥ򸡽Ф뤳ȤǤޤ
Υեȥϼ¸ѤǤΤǡѤϼǤˤԤäƤޤ¿βɤ٤¸ߤޤΤǡơǥʤɤޤ餪ڤ keiji@sfc.keio.ac.jp ᡼󥰥ꥹ(packet@inas.mag.keio.ac.jp)ޤǤ󤻤

ѥΥС0.3.0ʹߤΥСǤϰʲΥ饤֥ѤƤޤ

 - libpcap(ver.0.5.2ʹ):
              ѥåȥץ饤֥
              tcpdump롼פˤƥʥ󥹤Ƥޤ
              ꥸʥVan Jacobson, Craig Leres, Steven McCannne
              (Lawrence Berkeley National Laboratory)ˤäƺޤ
              http://www.tcpdump.org/
ftp://ftp.ee.lbl.gov/libpcap.tar.Z

 - libnet(ver. 1.0.1bʹ):
              Mike D. Schiffmanˤ롢ѥåȤۤ뤿Υ饤֥ꡣ
  http://www.packetfactory.net/Projects/Libnet/

 - libnids(ver. 1.1.6ʹ):
              Rafal Wojtczukˤ NIDS E-ݡͥ
              (Linux 2.0.x IP åߥ졼)
  http://www.packetfactory.net/Projects/Libnids/

2 󥹥ȡ
 
ޤlibpcaplibnetlibnids򥤥󥹥ȡ뤷ƤʤϡޤΥ󥹥ȡ뤫Ϥޤ

  ɬפʥեpakemonWebȤǤ褦ˤʤäƤޤ
  ʲΥȤϥꥸʥΤΤǤ

  libpcap  http://www.tcpdump.org/
  libnet  http://www.packetfactory.net/Projects/Libnet
  libnids http://www.packetfactory.net/Projects/Libnids
  pakemon http://www.inas.mag.keio.ac.jp/pakemon/

٤ƤΥեϰʲΤ褦ˤƥ󥹥ȡǤޤ

  % tar xvfz [ɤե̾]
  % cd [줿ǥ쥯ȥ]
  % ./configure
  % make
  % su     (롼Ȥˤʤ)
  # make install

libpcapincludefileɬܡˤmanʥץˤˤĤƤϲ򻲾ȤƤ

  # mkdir /usr/local/include
  # mkdir /usr/local/include/net
  # make install-incl
  # make install-man

 libnetsupplementutilityȤ⥪ץˤˤĤƤϲ򻲾ȤƤ

  # make supp
  # make util

ѥμ¹ԥե/usr/local/bin/pakemonȤƥ󥹥ȡ뤵ޤ
ͥ㡼ǡ١signature.txt)/usr/local/share˥󥹥ȡ뤵ޤ

3 ¹

Υץ¹Ԥˤϡץबץߥ㥹⡼ɤΥѥåȤѤ뤿롼ȴĶɬפǤ

 % su
 # pakemon
/usr/local/bin˥ѥ̤äƤɬפޤ

4 ץ(as of ver.0.3.0b)

   -c <signature> :ͥեȤ <signature>˻ꤷեѤޤ
   -i <if>        :ͥåȥ󥿡եȤ<if>Ѥޤ
   -u <user id>   :root¤ǽ<user id>ǻꤷ桼θ¤Ǽ¹Ԥޤ
   -v             :ƤΥȥեåΥڥɤƥȷǲ̤˽Ϥޤ
   -q             :Žͥ⡼ (顼Ȥɽޤ)
   -s             :顼Ȥsyslog˵Ͽޤ
   -l <alert_log> :顼ȥꤷޤ
   -n             :ڥɤפޤ
   -t             :ڥɤΥפ˥ƥȤΤߤѤޤ
   -d <dump_log>  :ץꤷޤ
   -h             :Υåɽޤ

5 Хͥ㡼ˡ

 /usr/local/share/pakemon/signature.txt եԽޤ

񼰡

ͥ㡼̾ץȥ롡ݡ ݡ ͥѥʥޥå󥰤ǡϢ³

CGI-phf(CVE-1999-0067) tcp * 80 '/cgi-bin/phf'

# ǻϤޤԤϥȹԤȤ̵뤵ޤ

ͥ̾ڡޤޤʤƥȤǤդ̾ΤĤ뤳ȤǤޤ

ץȥ롧 tcp, udp, icmpꤹ뤳ȤǤޤ
ݡ ݡȡƻоݤȤʤݡֹ򵭽Ҥޤ*(ꥹ)Ѥ뤳ȤǤޤ

ͥ㡧ѥʸʸ̤֥륯(")Ƕߤޤʸʸζ̤Ԥʤϥ󥰥륯(')ǶߤޤХʥǡɽˤϥѥ(|)ǣʿΥǡ򶴤फ\x³ʿ򵭽Ҥޤ
  ˡ|00 00 1F BC| \x00 \x00 \x1F \xBC

ץ󥹤ˤϰʲޤ
              \a, \b, \f, \n, \r, \t, \v, \\, \?, \', \", \x , \>

 ɽѤ(<)(>)Ƕߤޤξ嵭ΥХʥɽӥץ󥹤GNU regexѤ뤳ȤˤʤޤΤǤդ

  ʲΥȤ¾Υȥӥ塼󶡤Ƥ륷ͥեꤹ뤳ȤǤޤ

	Whitehats  http://whitehats.com/ids/vision-pakemon.conf
	
6 

  ǥեȤˤưʲΥե뤬ȤƽϤޤ

  顼    /var/log/pakemon_alert.log

       /var/log/pakemon_dump.log

<>
Хå饦ɤǼ¹ԤkillޥǥץǤ硢ͥåȥ󥿡եץߥ㥹⡼ɤꤵ줿ޤޤˤʤޤrootˤʤä/sbin/ifconfig eth0 -promisc Ȥޤ
*Linux ͥåȥ󥿡եeth0ξ





