Bug fix for scan sources reported as destinations

In the /var/log/psad/<ip>/ directories, whois information is stored in the <IP>_whois files, the IP in the filename was included as a destination IP under the psad -S output. This commit fixes this bug. Here is an example of the invalid output: [+] IP Status Detail: SRC: 123.123.123.221, DL: 2, Dsts: 2, Pkts: 1, Unique sigs: 1, Email alerts: 1 DST: 1.2.3.4, Local IP Scanned ports: TCP 1433, Pkts: 1, Chain: INPUT, Intf: eth0 Signature match: "MISC Microsoft SQL Server communication attempt" TCP, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205 DST: 123.123.123.221
mrash · Jul 27, 2011 · 4b2794f · 4b2794f
1 parent c17c10a
commit 4b2794f
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/psad b/psad
@@ -8535,6 +8535,7 @@ sub import_ip_dirs() {
         ### get all of the destination ip addresses
         my %dst_ips;
         for my $scan_file (@scan_files) {
+            next if $scan_file =~ /_whois/;  ### may be <src>_whois
             if ($scan_file =~ /($ip_re)/) {
                 $dst_ips{$1} = '';
             }