Skip to content

Commit

Permalink
(Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface alia…
Browse files Browse the repository at this point in the history 
…ses in IGNORE_INTERFACES

This fixes issue #8 on github.
  • Loading branch information
@mrash
mrash committed Feb 8, 2014
1 parent b0bd270 commit 9e43ba5
Show file tree
Hide file tree
Showing 5 changed files with 209 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CREDITS
View file
Expand Up @@ -507,3 +507,7 @@ Gusta-BH
Tim Kramer
- Provided guidance on getting psad to be compatible with the upstart init
daemon on RHEL systems. This effort was tracked via issue #12 on github.

Wolfgang Breyha
- Submitted a patch to allow VLAN interfaces and interface aliases in
IGNORE_INTERFACES. This fixes issue #8 on github.
2 changes: 2 additions & 0 deletions ChangeLog
View file
Expand Up @@ -6,6 +6,8 @@ psad-2.2.3 (//2014):
addition, a new init script located at init-scripts/upstart/psad has
been added that is compatible with upstart - this script is meant to be
copied to the /etc/init.d/ directory.
- (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases
in IGNORE_INTERFACES. This fixes issue #8 on github.

psad-2.2.2 (01/13/2014):
- Added detection for Errata Security's "Masscan" port scanner that was
Expand Down
5 changes: 2 additions & 3 deletions psad
View file
Expand Up @@ -789,8 +789,7 @@ MAIN: for (;;) {

if ($hup_flag) {

&sys_log('received HUP signal, ' .
're-importing psad.conf');
&sys_log('received HUP signal, re-importing psad.conf');

print STDERR "[+] Received HUP signal, re-importing config...\n"
if $debug;
Expand Down Expand Up @@ -3863,7 +3862,7 @@ sub parse_ignore_interfaces() {

my @interfaces = split /\s*,\s*/, $config{'IGNORE_INTERFACES'};
for my $intf (@interfaces) {
if ($intf =~ /\W/) {
if ($intf !~ /^[\w.:]+$/) {
&sys_log('invalid interface in IGNORE_INTERFACES var');
} else {
$ignore_interfaces{$intf} = '';
Expand Down
188 changes: 188 additions & 0 deletions test/conf/ignore_intf.conf
View file
@@ -0,0 +1,188 @@
EMAIL_ADDRESSES root@localhost;
HOSTNAME _CHANGEME_;
HOME_NET any;
EXTERNAL_NET any;
FW_SEARCH_ALL Y;
FW_MSG_SEARCH DROP;
SYSLOG_DAEMON syslogd;
IFCFGTYPE ifconfig;
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
CHECK_INTERVAL 5;
SNORT_SID_STR SID;
ENABLE_PSADWATCHD Y;
PORT_RANGE_SCAN_THRESHOLD 1;
PROTOCOL_SCAN_THRESHOLD 5;
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT 3600; ### seconds
PERSISTENCE_CTR_THRESHOLD 5;
MAX_SCAN_IP_PAIRS 0;
SHOW_ALL_SIGNATURES N;
ALERTING_METHODS nomail;
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
IGNORE_PROTOCOLS NONE;
IGNORE_INTERFACES eth1, eth0.1;
IGNORE_LOG_PREFIXES NONE;
MIN_DANGER_LEVEL 1;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_IPV6_DETECTION Y;
ENABLE_INTF_LOCAL_NETS Y;
ENABLE_MAC_ADDR_REPORTING N;
ENABLE_FW_LOGGING_CHECK Y;
EMAIL_LIMIT 0;
ENABLE_EMAIL_LIMIT_PER_DST N;
EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_THROTTLE 0;
ALERT_ALL Y;
IMPORT_OLD_SCANS N;
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
ENABLE_DSHIELD_ALERTS N;
DSHIELD_ALERT_EMAIL reports@dshield.org;
DSHIELD_ALERT_INTERVAL 6; ### hours
DSHIELD_USER_ID 0;
DSHIELD_USER_EMAIL NONE;
DSHIELD_DL_THRESHOLD 0;
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
ENABLE_SNORT_SIG_STRICT Y;
ENABLE_AUTO_IDS N;
AUTO_IDS_DANGER_LEVEL 5;
AUTO_BLOCK_TIMEOUT 3600;
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS N;
ENABLE_AUTO_IDS_EMAILS Y;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;
TCPWRAPPERS_BLOCK_METHOD N;
WHOIS_TIMEOUT 60; ### seconds
WHOIS_LOOKUP_THRESHOLD 20;
ENABLE_WHOIS_FORCE_ASCII N;
ENABLE_WHOIS_FORCE_SRC_IP N;
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT N;
DISK_CHECK_INTERVAL 300; ### seconds
DISK_MAX_PERCENTAGE 95;
DISK_MAX_RM_RETRIES 10;
ENABLE_SCAN_ARCHIVE N;
TRUNCATE_FWDATA Y;
MIN_ARCHIVE_DANGER_LEVEL 1;
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
INSTALL_ROOT psad-install;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;
13 changes: 13 additions & 0 deletions test/test-psad.pl
View file
Expand Up @@ -45,6 +45,7 @@
my $default_conf = "$conf_dir/default_psad.conf";
my $ignore_udp_conf = "$conf_dir/ignore_udp.conf";
my $ignore_tcp_conf = "$conf_dir/ignore_tcp.conf";
my $ignore_intf_conf = "$conf_dir/ignore_intf.conf";
my $auto_blocking_conf = "$conf_dir/auto_blocking.conf";
my $auto_dl5_blocking_conf = "$conf_dir/auto_min_dl5_blocking.conf";
my $require_prefix_conf = "$conf_dir/require_DROP_syslog_prefix_str.conf";
Expand Down Expand Up @@ -771,6 +772,18 @@
'exec_err' => $NO,
'fatal' => $NO
},
{
'category' => 'operations',
'detail' => 'psad.conf ignore eth1 traffic',
'err_msg' => 'did not ignore eth1 traffic',
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
'cmdline' => "$psadCmd --test-mode -A --analysis-write-data --auto-dl $dl5_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $ignore_intf_conf $normal_root_override_str",
'exec_err' => $NO,
'fatal' => $NO
},
{
'category' => 'operations',
'detail' => 'psad.conf require DROP prefix',
Expand Down

0 comments on commit 9e43ba5

Please sign in to comment.