NAME
Gabriel - Network Probe Detector for SATAN
OVERVIEW
The gabriel software package from Los Altos Technologies,
Inc. allows a system administrator to detect network probes
like the ones generated by SATAN. The gabriel package gives
the system administrator an early warning of a possible net-
work intrusion by detecting unauthorized network probing,
and it confirms that authorized probing reaches the expected
network segments. It identifies the source of the probing
and can immediately notify the administrator via a pager, a
phone call, an email message, or a screen display.
The gabriel package is an enterprise-wide solution. It is
easy for a single administrator to protect all the networks
and sub-networks in an entire enterprise. One machine on
each network segment runs the gabriel client software in
addition to that machine's normal workload. These client
pieces monitor all traffic on their network segments and
report excessive network probing to the gabriel server via
the standard syslog facility. The server can be configured
to notify the system administrator in a variety of built-in
ways (e.g., calling a pager), or via custom notification
scripts. The client software DOES NOT need to run on every
machine. For example, even though the software only runs on
Unix systems (in the initial release), one Unix system can
protect all the PCs or NT systems attached to the same net-
work segment.
The clients also send periodic heart-beat messages to the
server, so the administrator can receive daily or weekly e-
mail to confirm that all clients are still doing their jobs.
Ease of use is a key design goal for gabriel. It comes with
installation scripts for both the server and client pieces.
It is a complete package that includes all the necessary
software. The full source code is included for those who
want to examine or extend the product. For people who want
to get started quickly, the package comes with pre-compiled
binaries. A test script is included so you can test the
package even if you do not have a network prober like SATAN
or ISS (Internet Security Scanner).
The package was designed to have a minimal impact on produc-
tion systems. It does not need to run on production sys-
tems. Instead, the client software can simply be installed
on any machine on the same network segments as the produc-
tion machines. These client pieces will detect any probing
of the production systems. If some loading is acceptable,
the client piece can be installed on the production system.
The gabriel package has only a few dependencies on your
environment. It is a collection of programs written in C
and sh scripts. You DO NOT need to install perl or other
software packages or libraries. The program uses the exist-
ing packet filtering programs for each operating system
(e.g., etherfind for Solaris 1).
INSTALLATION AND TESTING
The gabriel package can be installed and tested on a single
machine before installing the client pieces to monitor all
of your network segments. To do this, load the software
onto the desired machine and then execute
install_gabriel_server. This program will install the server
reporting piece of gabriel. You then run the
install_gabriel_client program to install and start a client
monitor program, either on the same machine or on a dif-
ferent machine. If you wish to compile the program from its
source code, see the comments in the READ.ME file.
After installing the server, edit the configuration file
mentioned by the install script. This file tells the server
software how you want to receive reports about network prob-
ing. Changes to the configuration will take effect immedi-
ately. There is no need to re-install the program after
changing the configuration file.
To test gabriel run the gabriel_tester program from another
machine on the same network segment. The packet monitor
programs will not detect traffic from a host to itself, so
the tester must be run on another machine. Due to buffering
in the Solaris 2.x packet monitor, the Solaris 2 client
pieces will take longer to notice an attack than the Solaris
1 clients.
After running gabriel_tester, run the gabriel_server program
on the server machine to produce notifications of the
attack.
Once the tester has been run, running gabriel_tester again
will not produce any new notifications. The client pieces
remember the time when they last told the server about a
particular attacking host, and they will only make another
report if the attack is still underway fifteen minutes
later. If you want to run another test, you must kill the
client programs and restart them. On a Solaris 1.x machine,
you can locate the client processes with the command: ps
-agx | grep gabriel ; ps -agx | grep etherfind . On a
Solaris 2.x machine, you can locate the client processes
with the command: ps -ef | grep gabriel ; ps -ef | grep
snoop .
HOW IT WORKS
The gabriel package detects SATAN probing by looking for a
host that is probing a large number of different services.
The gabriel_client program examines all initial connection
packets sent over the network attached to the machine run-
ning the client. These include ICMP, TCP and UDP packets.
To avoid loading the client machine, only the initial con-
nection packets are examined, not the data transfer packets.
The client program records the source host address, service
type (e.g., PING, FTP, RLOGIN) and probe time in a database
of active connections. Connections are removed from the
database after a period of inactivity.
The gabriel_client program is actually a shell script that
invokes either gabriel_client.sol1 or gabriel_client.sol2
based on the operating system type. This approach makes it
easy to have both Solaris 1 and Solaris 2 machines share an
NFS mounted file system with the gabriel software.
The packets are extracted using the packet monitor program
built into the OS. For Solaris 1.x, the etherfind program
is used. For Solaris 2.x, the snoop program is used. See
the section on porting for information about other plat-
forms.
Periodically, the connection database is scanned to identify
hosts that are requesting connections to a large number of
different services. This is the characteristic footprint of
a network prober like SATAN. Based on the number of dif-
ferent types of probes, the client sends a high or low
priority report to the server. The reports are sent as sys-
log messages identified with local3.notice. The client
install script saves and modifies the /etc/syslog.conf file
to send these messages to the server, and then re-
initializes the syslogd daemon with a HUP signal. The
client pieces also send out periodic heart-beat reports
using syslog messages identified with local3.info.
You can observe the internal workings of the client piece by
directly invoking the gabriel_client.sol1 or
gabriel_client.sol2 program from the command line. By
default, these programs generate per-probe status informa-
tion that is discarded by the parent script gabriel_client.
The server install script saves and modifies the
/etc/syslog.conf file to place all local3 messages into a
file. It also sets up a cron job that periodically runs the
gabriel_server program, which scans the log file. By
default, the server looks at all the log events that were
recorded since it was last run and notifies the administra-
tor about these events according to its configuration file.
The notifications can include calling a pager, sending
email, calling a home phone number to play a distinctive
touch tone pattern, online displays via wall, or arbitrary
notification via custom scripts.
The gabriel_server can be invoked directly from the command
line. For additional help with the server, invoke it with
the -h option.
PORTING
The gabriel software can be ported to any platform that sup-
ports C and sh programming and has a packet monitoring pro-
gram either included with the OS, or available from the pub-
lic domain (e.g., tcpdump). To port the software you need
to determine how to make the packet monitor report on the
packet types described in the gabriel_client.c program, and
add a parser that extracts the source host name and service
type from the output of the packet filter.
LIMITATIONS
The initial release only runs on Solaris 1 and Solaris 2.
The client machines can only have one network interface.
The thresholds for detecting an attack are hard to change
after the clients are installed.
AUTHORS
Bob Baldwin, Ben Dubin, and Richard Mahn. Copyright 1998 by
Los Altos Technologies, Inc. All rights reserved. Gabriel
is a trademark of Los Altos Technologies, Inc.
Please contact us with questions or comments.
Return to our home page...
Los Altos Technologies, Inc.
1381 Kildaire Farm Road, Suite 415
Cary, NC 27511
Phone: (800) 999-UNIX, (919) 233-9889
Fax: (919) 233-6761
E-mail: info@lat.com
Last Update: 3/25/98