From 9e43ba5942a05e80ae4da45bf25716ffcb98981a Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Sat, 8 Feb 2014 12:28:22 -0500 Subject: [PATCH] (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases in IGNORE_INTERFACES This fixes issue #8 on github. --- CREDITS | 4 + ChangeLog | 2 + psad | 5 +- test/conf/ignore_intf.conf | 188 +++++++++++++++++++++++++++++++++++++ test/test-psad.pl | 13 +++ 5 files changed, 209 insertions(+), 3 deletions(-) create mode 100644 test/conf/ignore_intf.conf diff --git a/CREDITS b/CREDITS index a047a83..ec5a85a 100644 --- a/CREDITS +++ b/CREDITS @@ -507,3 +507,7 @@ Gusta-BH Tim Kramer - Provided guidance on getting psad to be compatible with the upstart init daemon on RHEL systems. This effort was tracked via issue #12 on github. + +Wolfgang Breyha + - Submitted a patch to allow VLAN interfaces and interface aliases in + IGNORE_INTERFACES. This fixes issue #8 on github. diff --git a/ChangeLog b/ChangeLog index 5916755..135225f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ psad-2.2.3 (//2014): addition, a new init script located at init-scripts/upstart/psad has been added that is compatible with upstart - this script is meant to be copied to the /etc/init.d/ directory. + - (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases + in IGNORE_INTERFACES. This fixes issue #8 on github. psad-2.2.2 (01/13/2014): - Added detection for Errata Security's "Masscan" port scanner that was diff --git a/psad b/psad index 1ac1274..043ae77 100755 --- a/psad +++ b/psad @@ -789,8 +789,7 @@ MAIN: for (;;) { if ($hup_flag) { - &sys_log('received HUP signal, ' . - 're-importing psad.conf'); + &sys_log('received HUP signal, re-importing psad.conf'); print STDERR "[+] Received HUP signal, re-importing config...\n" if $debug; @@ -3863,7 +3862,7 @@ sub parse_ignore_interfaces() { my @interfaces = split /\s*,\s*/, $config{'IGNORE_INTERFACES'}; for my $intf (@interfaces) { - if ($intf =~ /\W/) { + if ($intf !~ /^[\w.:]+$/) { &sys_log('invalid interface in IGNORE_INTERFACES var'); } else { $ignore_interfaces{$intf} = ''; diff --git a/test/conf/ignore_intf.conf b/test/conf/ignore_intf.conf new file mode 100644 index 0000000..13ae3d4 --- /dev/null +++ b/test/conf/ignore_intf.conf @@ -0,0 +1,188 @@ +EMAIL_ADDRESSES root@localhost; +HOSTNAME _CHANGEME_; +HOME_NET any; +EXTERNAL_NET any; +FW_SEARCH_ALL Y; +FW_MSG_SEARCH DROP; +SYSLOG_DAEMON syslogd; +IFCFGTYPE ifconfig; +DANGER_LEVEL1 5; ### Number of packets. +DANGER_LEVEL2 15; +DANGER_LEVEL3 150; +DANGER_LEVEL4 1500; +DANGER_LEVEL5 10000; +CHECK_INTERVAL 5; +SNORT_SID_STR SID; +ENABLE_PSADWATCHD Y; +PORT_RANGE_SCAN_THRESHOLD 1; +PROTOCOL_SCAN_THRESHOLD 5; +ENABLE_PERSISTENCE Y; +SCAN_TIMEOUT 3600; ### seconds +PERSISTENCE_CTR_THRESHOLD 5; +MAX_SCAN_IP_PAIRS 0; +SHOW_ALL_SIGNATURES N; +ALERTING_METHODS nomail; +ENABLE_SYSLOG_FILE Y; +IPT_WRITE_FWDATA Y; +IPT_SYSLOG_FILE /var/log/messages; +ENABLE_SIG_MSG_SYSLOG Y; +SIG_MSG_SYSLOG_THRESHOLD 10; +SIG_SID_SYSLOG_THRESHOLD 10; +EXPECT_TCP_OPTIONS Y; +MAX_HOPS 20; +IGNORE_KERNEL_TIMESTAMP Y; +IGNORE_CONNTRACK_BUG_PKTS Y; +IGNORE_PORTS NONE; +IGNORE_PROTOCOLS NONE; +IGNORE_INTERFACES eth1, eth0.1; +IGNORE_LOG_PREFIXES NONE; +MIN_DANGER_LEVEL 1; +EMAIL_ALERT_DANGER_LEVEL 1; +ENABLE_IPV6_DETECTION Y; +ENABLE_INTF_LOCAL_NETS Y; +ENABLE_MAC_ADDR_REPORTING N; +ENABLE_FW_LOGGING_CHECK Y; +EMAIL_LIMIT 0; +ENABLE_EMAIL_LIMIT_PER_DST N; +EMAIL_LIMIT_STATUS_MSG Y; +EMAIL_THROTTLE 0; +ALERT_ALL Y; +IMPORT_OLD_SCANS N; +SYSLOG_IDENTITY psad; +SYSLOG_FACILITY LOG_LOCAL7; +SYSLOG_PRIORITY LOG_INFO; +TOP_PORTS_LOG_THRESHOLD 500; +STATUS_PORTS_THRESHOLD 20; +TOP_SIGS_LOG_THRESHOLD 500; +STATUS_SIGS_THRESHOLD 50; +TOP_IP_LOG_THRESHOLD 500; +STATUS_IP_THRESHOLD 25; +TOP_SCANS_CTR_THRESHOLD 1; +ENABLE_DSHIELD_ALERTS N; +DSHIELD_ALERT_EMAIL reports@dshield.org; +DSHIELD_ALERT_INTERVAL 6; ### hours +DSHIELD_USER_ID 0; +DSHIELD_USER_EMAIL NONE; +DSHIELD_DL_THRESHOLD 0; +HTTP_SERVERS $HOME_NET; +SMTP_SERVERS $HOME_NET; +DNS_SERVERS $HOME_NET; +SQL_SERVERS $HOME_NET; +TELNET_SERVERS $HOME_NET; +AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; +HTTP_PORTS 80; +SHELLCODE_PORTS !80; +ORACLE_PORTS 1521; +ENABLE_SNORT_SIG_STRICT Y; +ENABLE_AUTO_IDS N; +AUTO_IDS_DANGER_LEVEL 5; +AUTO_BLOCK_TIMEOUT 3600; +AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT; +AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT; +AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT; +AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT; +AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent +ENABLE_AUTO_IDS_REGEX N; +AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes +ENABLE_RENEW_BLOCK_EMAILS N; +ENABLE_AUTO_IDS_EMAILS Y; +IPTABLES_BLOCK_METHOD Y; +IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; +IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; +IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1; +FLUSH_IPT_AT_INIT Y; +IPTABLES_PREREQ_CHECK 1; +TCPWRAPPERS_BLOCK_METHOD N; +WHOIS_TIMEOUT 60; ### seconds +WHOIS_LOOKUP_THRESHOLD 20; +ENABLE_WHOIS_FORCE_ASCII N; +ENABLE_WHOIS_FORCE_SRC_IP N; +DNS_LOOKUP_THRESHOLD 20; +ENABLE_EXT_SCRIPT_EXEC N; +EXTERNAL_SCRIPT /bin/true; +EXEC_EXT_SCRIPT_PER_ALERT N; +DISK_CHECK_INTERVAL 300; ### seconds +DISK_MAX_PERCENTAGE 95; +DISK_MAX_RM_RETRIES 10; +ENABLE_SCAN_ARCHIVE N; +TRUNCATE_FWDATA Y; +MIN_ARCHIVE_DANGER_LEVEL 1; +MAIL_ALERT_PREFIX [psad-alert]; +MAIL_STATUS_PREFIX [psad-status]; +MAIL_ERROR_PREFIX [psad-error]; +MAIL_FATAL_PREFIX [psad-fatal]; +SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures; +PSADWATCHD_CHECK_INTERVAL 5; ### seconds +PSADWATCHD_MAX_RETRIES 10; +INSTALL_ROOT psad-install; +PSAD_DIR $INSTALL_ROOT/var/log/psad; +PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad; +PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad; +PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad; +PSAD_CONF_DIR $INSTALL_ROOT/etc/psad; +PSAD_ERR_DIR $PSAD_DIR/errs; +CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive; +SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive; +ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis; +SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules; +FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist +FW_DATA_FILE $PSAD_DIR/fwdata; +ULOG_DATA_FILE $PSAD_DIR/ulogd.log; +FW_CHECK_FILE $PSAD_DIR/fw_check; +DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email; +SIGS_FILE $PSAD_CONF_DIR/signatures; +PROTOCOLS_FILE $PSAD_CONF_DIR/protocols; +ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types; +ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types; +AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl; +SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl; +POSF_FILE $PSAD_CONF_DIR/posf; +P0F_FILE $PSAD_CONF_DIR/pf.os; +IP_OPTS_FILE $PSAD_CONF_DIR/ip_options; +PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo; +ETC_HOSTS_DENY_FILE /etc/hosts.deny; +ETC_SYSLOG_CONF /etc/syslog.conf; +ETC_RSYSLOG_CONF /etc/rsyslog.conf; +ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; +ETC_METALOG_CONF /etc/metalog/metalog.conf; +STATUS_OUTPUT_FILE $PSAD_DIR/status.out; +ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out; +INSTALL_LOG_FILE $PSAD_DIR/install.log; +PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid; +PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd; +KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid; +PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid; +AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables; +AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr; +AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock; +FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog; +PRINT_SCAN_HASH $PSAD_DIR/scan_hash; +PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; +PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr; +TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports; +TOP_SIGS_FILE $PSAD_DIR/top_sigs; +TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers; +DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr; +IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr; +IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout; +IPT_ERROR_FILE $PSAD_DIR/psad.ipterr; +iptablesCmd /sbin/iptables; +ip6tablesCmd /sbin/ip6tables; +shCmd /bin/sh; +wgetCmd /usr/bin/wget; +gzipCmd /bin/gzip; +mknodCmd /bin/mknod; +psCmd /bin/ps; +mailCmd /bin/mail; +sendmailCmd /usr/sbin/sendmail; +ifconfigCmd /sbin/ifconfig; +ipCmd /sbin/ip; +killallCmd /usr/bin/killall; +netstatCmd /bin/netstat; +unameCmd /bin/uname; +whoisCmd $INSTALL_ROOT/usr/bin/whois_psad; +dfCmd /bin/df; +fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad; +psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd; +kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd; +psadCmd $INSTALL_ROOT/usr/sbin/psad; diff --git a/test/test-psad.pl b/test/test-psad.pl index 0bbaf33..5738164 100755 --- a/test/test-psad.pl +++ b/test/test-psad.pl @@ -45,6 +45,7 @@ my $default_conf = "$conf_dir/default_psad.conf"; my $ignore_udp_conf = "$conf_dir/ignore_udp.conf"; my $ignore_tcp_conf = "$conf_dir/ignore_tcp.conf"; +my $ignore_intf_conf = "$conf_dir/ignore_intf.conf"; my $auto_blocking_conf = "$conf_dir/auto_blocking.conf"; my $auto_dl5_blocking_conf = "$conf_dir/auto_min_dl5_blocking.conf"; my $require_prefix_conf = "$conf_dir/require_DROP_syslog_prefix_str.conf"; @@ -771,6 +772,18 @@ 'exec_err' => $NO, 'fatal' => $NO }, + { + 'category' => 'operations', + 'detail' => 'psad.conf ignore eth1 traffic', + 'err_msg' => 'did not ignore eth1 traffic', + 'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$psadCmd --test-mode -A --analysis-write-data --auto-dl $dl5_ipv4_auto_dl_file " . + "-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $ignore_intf_conf $normal_root_override_str", + 'exec_err' => $NO, + 'fatal' => $NO + }, { 'category' => 'operations', 'detail' => 'psad.conf require DROP prefix',