Gabriel

---

NAME
     gabriel - Network Probe Detector for SATAN

OVERVIEW
     The gabriel software package from  Los  Altos  Technologies,
     Inc.  allows a system administrator to detect network probes
     like the ones generated by SATAN.  The gabriel package gives
     the system administrator an early warning of a possible net-
     work intrusion by detecting  unauthorized  network  probing,
     and it confirms that authorized probing reaches the expected
     network segments.  It identifies the source of  the  probing
     and  can immediately notify the administrator via a pager, a
     phone call, an email message, or a screen display.

     The gabriel package is an enterprise-wide solution.   It  is
     easy  for a single administrator to protect all the networks
     and sub-networks in an entire enterprise.   One  machine  on
     each  network  segment  runs  the gabriel client software in
     addition to that machine's normal  workload.   These  client
     pieces  monitor  all  traffic  on their network segments and
     report excessive network probing to the gabriel  server  via
     the  standard syslog facility.  The server can be configured
     to notify the system administrator in a variety of  built-in
     ways  (e.g.,  calling  a  pager), or via custom notification
     scripts.  The client software DOES NOT need to run on  every
     machine.  For example, even though the software only runs on
     Unix systems (in the initial release), one Unix  system  can
     protect  all the PCs or NT systems attached to the same net-
     work segment.

     The clients also send periodic heart-beat  messages  to  the
     server,  so the administrator can receive daily or weekly e-
     mail to confirm that all clients are still doing their jobs.

     Ease of use is a key design goal for gabriel. It comes  with
     installation  scripts for both the server and client pieces.
     It is a complete package that  includes  all  the  necessary
     software.  The  full  source  code is included for those who
     want to examine or extend the product.  For people who  want
     to  get started quickly, the package comes with pre-compiled
     binaries.  A test script is included so  you  can  test  the
     package  even if you do not have a network prober like SATAN
     or ISS (Internet Security Scanner).

     The package was designed to have a minimal impact on produc-
     tion  systems.   It  does not need to run on production sys-
     tems.  Instead, the client software can simply be  installed
     on  any  machine on the same network segments as the produc-
     tion machines.  These client pieces will detect any  probing
     of  the  production systems.  If some loading is acceptable,
     the client piece can be installed on the production system.

     The gabriel package has only  a  few  dependencies  on  your
     environment.   It  is  a collection of programs written in C
     and sh scripts. You DO NOT need to  install  perl  or  other
     software packages or libraries.  The program uses the exist-
     ing packet filtering  programs  for  each  operating  system
     (e.g., etherfind for Solaris 1).

INSTALLATION AND TESTING
     The gabriel package can be installed and tested on a  single
     machine  before  installing the client pieces to monitor all
     of your network segments.  To do  this,  load  the  software
     onto     the    desired    machine    and    then    execute
     install_gabriel_server. This program will install the server
     reporting    piece    of   gabriel.   You   then   run   the
     install_gabriel_client program to install and start a client
     monitor  program,  either  on  the same machine or on a dif-
     ferent machine.  If you wish to compile the program from its
     source code, see the comments in the READ.ME file.

     After installing the server,  edit  the  configuration  file
     mentioned by the install script.  This file tells the server
     software how you want to receive reports about network prob-
     ing.   Changes to the configuration will take effect immedi-
     ately.  There is no need to  re-install  the  program  after
     changing the configuration file.

     To test gabriel run the gabriel_tester program from  another
     machine  on  the  same  network segment.  The packet monitor
     programs will not detect traffic from a host to  itself,  so
     the tester must be run on another machine.  Due to buffering
     in the Solaris 2.x packet  monitor,  the  Solaris  2  client
     pieces will take longer to notice an attack than the Solaris
     1 clients.

     After running gabriel_tester, run the gabriel_server program
     on  the  server  machine  to  produce  notifications  of the
     attack.

     Once the tester has been run, running  gabriel_tester  again
     will  not  produce any new notifications.  The client pieces
     remember the time when they last told  the  server  about  a
     particular  attacking  host, and they will only make another
     report if the  attack  is  still  underway  fifteen  minutes
     later.   If  you want to run another test, you must kill the
     client programs and restart them.  On a Solaris 1.x machine,
     you  can  locate  the  client processes with the command: ps
     -agx | grep gabriel ; ps  -agx  |  grep  etherfind  .  On  a
     Solaris  2.x  machine,  you  can locate the client processes
     with the command: ps -ef | grep gabriel  ;  ps  -ef  |  grep
     snoop .

HOW IT WORKS
     The gabriel package detects SATAN probing by looking  for  a
     host  that  is probing a large number of different services.
     The gabriel_client program examines all  initial  connection
     packets  sent  over the network attached to the machine run-
     ning the client.  These include ICMP, TCP and  UDP  packets.
     To  avoid  loading the client machine, only the initial con-
     nection packets are examined, not the data transfer packets.
     The  client program records the source host address, service
     type (e.g., PING, FTP, RLOGIN) and probe time in a  database
     of  active  connections.   Connections  are removed from the
     database after a period of inactivity.

     The gabriel_client program is actually a shell  script  that
     invokes  either  gabriel_client.sol1  or gabriel_client.sol2
     based on the operating system type.  This approach makes  it
     easy  to have both Solaris 1 and Solaris 2 machines share an
     NFS mounted file system with the gabriel software.

     The packets are extracted using the packet  monitor  program
     built  into  the OS.  For Solaris 1.x, the etherfind program
     is used.  For Solaris 2.x, the snoop program is  used.   See
     the  section  on  porting  for information about other plat-
     forms.

     Periodically, the connection database is scanned to identify
     hosts  that  are requesting connections to a large number of
     different services.  This is the characteristic footprint of
     a  network  prober  like SATAN.  Based on the number of dif-
     ferent types of probes, the  client  sends  a  high  or  low
     priority report to the server.  The reports are sent as sys-
     log  messages  identified  with  local3.notice.  The  client
     install  script saves and modifies the /etc/syslog.conf file
     to  send  these  messages  to  the  server,  and  then   re-
     initializes  the  syslogd  daemon  with  a  HUP signal.  The
     client pieces also  send  out  periodic  heart-beat  reports
     using syslog messages identified with local3.info.

     You can observe the internal workings of the client piece by
     directly     invoking     the     gabriel_client.sol1     or
     gabriel_client.sol2  program  from  the  command  line.   By
     default,  these  programs generate per-probe status informa-
     tion that is discarded by the parent script gabriel_client.

     The  server  install   script   saves   and   modifies   the
     /etc/syslog.conf  file  to  place all local3 messages into a
     file.  It also sets up a cron job that periodically runs the
     gabriel_server  program,  which  scans  the  log  file.   By
     default, the server looks at all the log  events  that  were
     recorded  since it was last run and notifies the administra-
     tor about these events according to its configuration  file.
     The  notifications  can  include  calling  a  pager, sending
     email, calling a home phone number  to  play  a  distinctive
     touch  tone  pattern, online displays via wall, or arbitrary
     notification via custom scripts.

     The gabriel_server can be invoked directly from the  command
     line.   For  additional help with the server, invoke it with
     the -h option.

PORTING
     The gabriel software can be ported to any platform that sup-
     ports  C and sh programming and has a packet monitoring pro-
     gram either included with the OS, or available from the pub-
     lic  domain  (e.g., tcpdump).  To port the software you need
     to determine how to make the packet monitor  report  on  the
     packet  types described in the gabriel_client.c program, and
     add a parser that extracts the source host name and  service
     type from the output of the packet filter.

LIMITATIONS
     The initial release only runs on Solaris 1 and Solaris 2.

     The client machines can only have one network interface.

     The thresholds for detecting an attack are  hard  to  change
     after the clients are installed.

AUTHORS
     Bob Baldwin, Ben Dubin, and Richard Mahn.  Copyright 1995 by
     Los  Altos Technologies, Inc.  All rights reserved.  Gabriel
     is a trademark of Los Altos Technologies, Inc.