NAME gabriel - Network Probe Detector for SATAN OVERVIEW The gabriel software package from Los Altos Technologies, Inc. allows a system administrator to detect network probes like the ones generated by SATAN. The gabriel package gives the system administrator an early warning of a possible net- work intrusion by detecting unauthorized network probing, and it confirms that authorized probing reaches the expected network segments. It identifies the source of the probing and can immediately notify the administrator via a pager, a phone call, an email message, or a screen display. The gabriel package is an enterprise-wide solution. It is easy for a single administrator to protect all the networks and sub-networks in an entire enterprise. One machine on each network segment runs the gabriel client software in addition to that machine's normal workload. These client pieces monitor all traffic on their network segments and report excessive network probing to the gabriel server via the standard syslog facility. The server can be configured to notify the system administrator in a variety of built-in ways (e.g., calling a pager), or via custom notification scripts. The client software DOES NOT need to run on every machine. For example, even though the software only runs on Unix systems (in the initial release), one Unix system can protect all the PCs or NT systems attached to the same net- work segment. The clients also send periodic heart-beat messages to the server, so the administrator can receive daily or weekly e- mail to confirm that all clients are still doing their jobs. Ease of use is a key design goal for gabriel. It comes with installation scripts for both the server and client pieces. It is a complete package that includes all the necessary software. The full source code is included for those who want to examine or extend the product. For people who want to get started quickly, the package comes with pre-compiled binaries. A test script is included so you can test the package even if you do not have a network prober like SATAN or ISS (Internet Security Scanner). The package was designed to have a minimal impact on produc- tion systems. It does not need to run on production sys- tems. Instead, the client software can simply be installed on any machine on the same network segments as the produc- tion machines. These client pieces will detect any probing of the production systems. If some loading is acceptable, the client piece can be installed on the production system. The gabriel package has only a few dependencies on your environment. It is a collection of programs written in C and sh scripts. You DO NOT need to install perl or other software packages or libraries. The program uses the exist- ing packet filtering programs for each operating system (e.g., etherfind for Solaris 1). INSTALLATION AND TESTING The gabriel package can be installed and tested on a single machine before installing the client pieces to monitor all of your network segments. To do this, load the software onto the desired machine and then execute install_gabriel_server. This program will install the server reporting piece of gabriel. You then run the install_gabriel_client program to install and start a client monitor program, either on the same machine or on a dif- ferent machine. If you wish to compile the program from its source code, see the comments in the READ.ME file. After installing the server, edit the configuration file mentioned by the install script. This file tells the server software how you want to receive reports about network prob- ing. Changes to the configuration will take effect immedi- ately. There is no need to re-install the program after changing the configuration file. To test gabriel run the gabriel_tester program from another machine on the same network segment. The packet monitor programs will not detect traffic from a host to itself, so the tester must be run on another machine. Due to buffering in the Solaris 2.x packet monitor, the Solaris 2 client pieces will take longer to notice an attack than the Solaris 1 clients. After running gabriel_tester, run the gabriel_server program on the server machine to produce notifications of the attack. Once the tester has been run, running gabriel_tester again will not produce any new notifications. The client pieces remember the time when they last told the server about a particular attacking host, and they will only make another report if the attack is still underway fifteen minutes later. If you want to run another test, you must kill the client programs and restart them. On a Solaris 1.x machine, you can locate the client processes with the command: ps -agx | grep gabriel ; ps -agx | grep etherfind . On a Solaris 2.x machine, you can locate the client processes with the command: ps -ef | grep gabriel ; ps -ef | grep snoop . HOW IT WORKS The gabriel package detects SATAN probing by looking for a host that is probing a large number of different services. The gabriel_client program examines all initial connection packets sent over the network attached to the machine run- ning the client. These include ICMP, TCP and UDP packets. To avoid loading the client machine, only the initial con- nection packets are examined, not the data transfer packets. The client program records the source host address, service type (e.g., PING, FTP, RLOGIN) and probe time in a database of active connections. Connections are removed from the database after a period of inactivity. The gabriel_client program is actually a shell script that invokes either gabriel_client.sol1 or gabriel_client.sol2 based on the operating system type. This approach makes it easy to have both Solaris 1 and Solaris 2 machines share an NFS mounted file system with the gabriel software. The packets are extracted using the packet monitor program built into the OS. For Solaris 1.x, the etherfind program is used. For Solaris 2.x, the snoop program is used. See the section on porting for information about other plat- forms. Periodically, the connection database is scanned to identify hosts that are requesting connections to a large number of different services. This is the characteristic footprint of a network prober like SATAN. Based on the number of dif- ferent types of probes, the client sends a high or low priority report to the server. The reports are sent as sys- log messages identified with local3.notice. The client install script saves and modifies the /etc/syslog.conf file to send these messages to the server, and then re- initializes the syslogd daemon with a HUP signal. The client pieces also send out periodic heart-beat reports using syslog messages identified with local3.info. You can observe the internal workings of the client piece by directly invoking the gabriel_client.sol1 or gabriel_client.sol2 program from the command line. By default, these programs generate per-probe status informa- tion that is discarded by the parent script gabriel_client. The server install script saves and modifies the /etc/syslog.conf file to place all local3 messages into a file. It also sets up a cron job that periodically runs the gabriel_server program, which scans the log file. By default, the server looks at all the log events that were recorded since it was last run and notifies the administra- tor about these events according to its configuration file. The notifications can include calling a pager, sending email, calling a home phone number to play a distinctive touch tone pattern, online displays via wall, or arbitrary notification via custom scripts. The gabriel_server can be invoked directly from the command line. For additional help with the server, invoke it with the -h option. PORTING The gabriel software can be ported to any platform that sup- ports C and sh programming and has a packet monitoring pro- gram either included with the OS, or available from the pub- lic domain (e.g., tcpdump). To port the software you need to determine how to make the packet monitor report on the packet types described in the gabriel_client.c program, and add a parser that extracts the source host name and service type from the output of the packet filter. LIMITATIONS The initial release only runs on Solaris 1 and Solaris 2. The client machines can only have one network interface. The thresholds for detecting an attack are hard to change after the clients are installed. AUTHORS Bob Baldwin, Ben Dubin, and Richard Mahn. Copyright 1995 by Los Altos Technologies, Inc. All rights reserved. Gabriel is a trademark of Los Altos Technologies, Inc.