We are meant for something bigger.|Dec. 22, 2017|United States | Norway|135 Min.|R
Genre: Comedy;Drama;Science;Fiction
Description: In an effort to tackle overpopulation and global warming, Norwegian scientist Dr. Jørgen Asbjørnsen creates an irreversible process called “downsizing,” which reduces organic material in size. He joins the first group of human test subjects and is optimistic about the results, as the process shrinks people to about five inches tall, significantly cutting their consumption and waste. The groundbreaking findings, presented at a conference five years later, spark worldwide interest.
A decade later, Paul and Audrey Safranek, a financially struggling couple from Omaha, encounter Dave and Carol Johnson at Paul’s# :honey_pot: Catsara
A command line sensor for HoneySENS built on top of [Catsaro
Lang](https://github.com/mattoufoutu/catsarolang/).
## Usage
“`bash
catsara [config_path]
“`
If only one argument is supplied through the command line and matches `/.*\.catsara$/`,
then it will be used as the configuration file. If no matching argument is supplied, the
file `config.catsara` in the current directory will be used instead.
### Arguments
Other arguments can be specified in the configuration file, but some can also be
overridden with options in the command line. The following values and options are
available:
* `–host
* `–port
* `–socket-path
* `–name
* `–password
* `–sensor-tls`
* `–sensor-key
* `–sensor-cert
* `–interface
* `–kernel-filter
loading a kernel filter.
### Example
The following example illustrates some valid calls from the command line to start the
sensor:
“`bash
# Use default config file path and value set in the file with no override
catsara
# Override some settings from the default config file
catsara –host 0.0.0.0 –port 80
# Use a custom path for the config file
catsara /var/catsara/envs/foo/conf.catsara
“`
## Setup
Catsara installation and configuration can be done in a few simple steps. If you’re on a
Debian-based system, you can simply use the Makefile provided in this repository to
install the sensor and its dependencies. For other Linux distributions or systems, you
will have to install Python (3.7 or later), Radamsa and libpcap development headers
manually.
“`bash
# Install system dependencies for Python bindings and other tools
sudo apt install libpcap-dev python3-dev python3-pip python3-setuptools radamsa
# Install Python dependencies using pip
pip3 install -r requirements.txt
# Install the sensor globally so it can be ran from the CLI
sudo make install
# You can then try to run the sensor with its default config file:
catsara
# …or specify an alternative config file:
catsara /var/catsara/envs/foo/conf.catsara
“`
Note that Catsara will need to be ran as root (or at least with the `CAP_NET_RAW` and
`CAP_NET_ADMIN` capabilities) in order to capture packets with the libpcap bindings.
## Configuration
Catsara is configured using a simple configuration file written in the [Catsaro
Lang](https://github.com/mattoufoutu/catsarolang/) syntax. The configuration file will
usually be named `config.catsara` and set some default sensors settings, attack
detectors, reactions and actions.
The following section presents the configuration file syntax and documents its elements.
### Settings
“`bash
SETTING = value
SETTING2 = “other value”
SETTING3 = `some expression`
SETTING4 = 123.456
SETTING5 = 10:12:00
HOST = “127.0.0.1” # IP of the listener
PORT = 9999 # Port of the listener
SOCKET_PATH = “/var/run/catsara.sock” # Path to the Unix socket to connect to
NAME = “my_sensor” # Name of the sensor that will be registered
PASSWORD = “foobar” # Password of the sensor that will be registered
INTERFACE = “eth0” # Interface (only to specify in the config file)
KERNEL_FILTER = “” # Kernel filter string (default: “tcp or udp”)
SENSOR_TLS = False # Enables TLS for communication with the sensor
SENSOR_KEY = None # Path to the private key for TLS
SENSOR_CERT = None # Path to the certificate for TLS
LOG_FILE = “/var/log/catsara.log” # Path for the rotation log file
VERBOSE = True # Output verbose logs to stdout
“`
“`bash
HOST = “127.0.0.1” # IP of the listener
PORT = 9999 # Port of the listener
SOCKET_PATH = “/var/run/catsara.sock” # Path to the Unix socket to connect to
NAME = “my_sensor” # Name of the sensor that will be registered
PASSWORD = “foobar” # Password of the sensor that will be registered
INTERFACE = “eth0” # Interface (only to specify in the config file)
KERNEL_FILTER = “” # Kernel filter string (default: “tcp or udp”)
SENSOR_TLS = False # Enables TLS for communication with the sensor
SENSOR_KEY = None # Path to the private key for TLS
SENSOR_CERT = None # Path to the certificate for TLS
LOG_FILE = “/var/log/catsara.log” # Path for the rotation log file
VERBOSE = True # Output verbose logs to stdout
“`
Note that the log file is always written (if the `LOG_FILE` setting is set), but the
verbosity level of the messages (INFO, DEBUG, etc.) can be set with the `VERBOSE` config
setting or CLI argument. The verbosity level will only affect the logs written on the
standard output.
### Detectors
The `ATTACK` keyword is used to define an attack detector. A detector is made of the
following components:
“`bash
ATTACK
[WINDOW
[LIMIT
[PRECONDITIONS {
[
}]
CONSEQUENCE {
[
}
}
“`
**Attack type** are either one of:
* **Connection**: detect attacks based on connection statistics
* **DataLength**: detect attacks based on packet and payload lengths
* **Payload**: detect attacks based on packet payload content
* **Request**: detect attacks based on HTTP GET and parameters
* **Timing**: detect attacks based on (inter)packet timing
**Event type** only applies to some specific detector setups, and specifies a particular
NET event to monitor. Note that only the event types `TCP`, `UDP`, `ICMP`, `HTTP` and
`ICMP` are valid for the moment, and only if the corresponding kernel filter is applied.
**Window** defines the time window to use for `Connection` and `Timing` detectors and is
expected to be a duration such as `10:00:00` for ten minutes. Note that this is not
supported for the other detector types.
**Limit** applies to all detector types and defines the threshold upon which an alarm
will be raised by the detector (e.g. more than 100 connections in a window qualifies as
a SYN flood).
**Preconditions** are used by the `Payload`, `Request` and `DataLength` detector types to
match packet contents or attributes prior to applying the limit. Only packets that match
the preconditions will be taken into account by the detector.
**Consequence** consist of one or more commands to be executed when an attack is
detected. The commands can be anything installed on the host system, and are executed in
the same shell environment where Catsara is running. Note that the `sudo` utility may be
required for some commands in order to function properly.
### Examples
“`bash
ATTACK Connection SYNFlood on TCP {
WINDOW 10:00:00
LIMIT 100
CONSEQUENCE {
echo SYN flood detected
# Add your command for mitigating the attack here
}
}
ATTACK Payload SQLi on HTTP {
LIMIT 1
PRECONDITIONS {
payload ~ “select.*from”
payload ~ “union.*select”
payload ~ “insert.*into”
payload ~ “drop.*table”
payload ~ “update.*set”
}
CONSEQUENCE {
echo SQLi detected
# Add your command for mitigating the attack here
}
}
“`
## Development
### Running the sensor
During development, you can use one of the following commands to start the sensor:
“`bash
# Run the default config from the current directory
python3 -m catsara
# Run the default config from its actual installation path
python3 -m catsara /etc/catsara/config.catsara
# Override some settings in the cli
python3 -m catsara –host 127.0.0.1 –port 9999
“`
The same options as when installing the sensor with the Makefile are available here.
### Issues and bugs
Please use the GitHub issue tracker to submit bugs or request features. We’ll do our
best to answer and fix these in a timely manner. If you’d like to contribute directly to
the project or are simply interested in its development, feel free to fork the project
and submit your pull requests!
### Testing
The project includes some basic tests in the `tests/` directory and automatically
generates coverage reports. Tests can be run with Nose using the following command:
“`bash
# Run tests and generate coverage reports in the terminal with nosetests
nosetests –with-coverage –cover-package=catsara –cover-html
“`
Reports may also be generated in the HTML format and written to the `cover/` directory
by supplying the `–cover-html` option.
### Building
A repository containing Debian packages build automatically from the development branch
is available on
[Bintray](https://bintray.com/mattoufoutu/debian/catsara/_latestVersion). Packages for
the stable releases can also be found in the [Releases
section](https://github.com/mattoufoutu/catsara/releases).
If you’d like to modify and build the package from the sources, you can do so by
executing the following commands:
“`bash
# Install build dependencies
sudo apt install build-essential devscripts fakeroot debhelper quilt
# Build the package directly with debuild (recommended)
debuild -us -uc
# …or use the Makefile targets (generate artefacts in the dist/ directory)
make source
make build
“`
Quilt is required for the build and used to apply patches to the original sources when
building the package. Distribution-specific patches should be stored and maintained in
the `debian/patches` directory, along with their corresponding series file.
Cast director: Alexander Payne
Cast actor: Matt Damon, Christoph Waltz, Hong Chau, Kristen Wiig, Rolf Lassgård, Ingjerd Egeberg, Udo Kier, Søren Pilmark, Jason Sudeikis, Maribeth Monroe
Original name: Downsizing