Permalink
Browse files

Parse fwsnort rules for 'msg' fields

Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set.  This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.
  • Loading branch information...
1 parent 361281e commit bd89cfbad0cdc4540f1b983811e40803b8fa29b9 @mrash committed Dec 18, 2012
View
@@ -479,3 +479,9 @@ Kat
Gregorio Narvaez
- Reported a NetAddr::IP usage bug in "-A --analysis-fields" mode with IP
searches.
+
+Pui Edylie
+ - Reported a problem where psad could not map an fwsnort log message back
+ to the corresponding Snort 'msg' field. Added the FWSNORT_RULES_DIR
+ variable to have psad read Snort rules from any installed fwsnort
+ instance.
View
@@ -23,6 +23,12 @@ psad-2.2.1 (12//2012):
# grep "IN=.*OUT=" /var/log/kern.log | psad -A --stdin
+ - Added the ability to acquire Snort rule 'msg' fields from fwsnort if
+ it's also installed. A new variable FWSNORT_RULES_DIR tells psad where
+ to look for the fwsnort rule set. This fixes a problem reported by Pui
+ Edylie to the psad mailing list where fwsnort logged an attack that psad
+ could not map back to a descriptive 'msg' field.
+
psad-2.2 (02/20/2012):
- Added support for detection of malicious traffic that is delivered via
IPv6. This is accomplished by parsing ip6tables log messages - these are
View
106 psad
@@ -3835,67 +3835,72 @@ sub import_snort_rules() {
%fwsnort_sigs = ();
- opendir D, $config{'SNORT_RULES_DIR'}
- or die "[*] Could not open $config{'SNORT_RULES_DIR'}";
- my @rfiles = readdir D;
- closedir D;
+ for my $dir ($config{'SNORT_RULES_DIR'},
+ $config{'FWSNORT_RULES_DIR'}) {
+ next unless -d $dir;
- FILE: for my $rfile (@rfiles) {
- next FILE unless $rfile =~ /\.rules$/;
- if ($srules_type) {
- next FILE unless $rfile =~ /^${srules_type}\.rules$/;
- }
- my ($type) = ($rfile =~ /(\w+)\.rules/);
- open R, "< ${config{'SNORT_RULES_DIR'}}/${rfile}" or
- die "[*] Could not open: ${srules_type}/${rfile}";
- my @lines = <R>;
- close R;
- RULE: for my $line (@lines) {
- next RULE unless $line =~ /^\s*alert/;
- chomp $line;
+ opendir D, $dir or die "[*] Could not open $dir: $!";
+ my @rfiles = readdir D;
+ closedir D;
- my $sid; ### snort rule id
- if ($line =~ /[\s;]sid:\s*(\d+)\s*;/) {
- $sid = $1;
- } else {
- next RULE;
+ FILE: for my $rfile (@rfiles) {
+ next FILE unless $rfile =~ /\.rules$/;
+ if ($srules_type) {
+ next FILE unless $rfile =~ /^${srules_type}\.rules$/;
}
+ my ($type) = ($rfile =~ /(\w+)\.rules/);
- $fwsnort_sigs{$sid}{'msg'} = $1
- if $line =~ /msg:\s*\"(.*?)\"\s*;/;
- $fwsnort_sigs{$sid}{'is_psad_id'} = 0;
+ open R, "< $dir/${rfile}" or
+ die "[*] Could not open: ${srules_type}/${rfile}";
- if ($line =~ /^\s*alert\s+(\w+)/) {
- $fwsnort_sigs{$sid}{'proto'} = lc($1);
- }
+ while (<R>) {
+ next unless /^\s*alert/;
- if ($line =~ /[\s;]classtype:\s*(.*?)\s*;/) {
- $fwsnort_sigs{$sid}{'classtype'} = $1;
- } else {
- $fwsnort_sigs{$sid}{'classtype'} = '';
- }
+ my $sid; ### snort rule id
+ if (/[\s;]sid:\s*(\d+)\s*;/) {
+ $sid = $1;
+ } else {
+ next;
+ }
- $fwsnort_sigs{$sid}{'priority'} = &convert_snort_priority($1)
- if $line =~ /[\s;]priority:\s*(\d+)\s*;/;
+ $fwsnort_sigs{$sid}{'msg'} = $1
+ if /msg:\s*\"(.*?)\"\s*;/;
+ $fwsnort_sigs{$sid}{'is_psad_id'} = 0;
- ### import multiple content fields; someone could have built
- ### a series of custom iptables chains in order to detect
- ### multiple content strings.
- while ($line =~ /[\s;](?:uri)?content:\s*\"(.*?)\"\s*;/g) {
- push @{$fwsnort_sigs{$sid}{'content'}}, $1;
- }
+ if (/^\s*alert\s+(\w+)/) {
+ $fwsnort_sigs{$sid}{'proto'} = lc($1);
+ }
- while ($line =~ /[\s;]reference:\s*(.*?)\s*;/g) {
- my $ref = $1;
- if ($ref =~ /^(\w+),(\S+)/) {
- ### reference:bugtraq,9732;
- push @{$fwsnort_sigs{$sid}{'reference'}{lc($1)}}, $2;
+ if (/[\s;]classtype:\s*(.*?)\s*;/) {
+ $fwsnort_sigs{$sid}{'classtype'} = $1;
+ } else {
+ $fwsnort_sigs{$sid}{'classtype'} = '';
+ }
+
+ $fwsnort_sigs{$sid}{'priority'} = &convert_snort_priority($1)
+ if /[\s;]priority:\s*(\d+)\s*;/;
+
+ ### import multiple content fields; someone could have built
+ ### a series of custom iptables chains in order to detect
+ ### multiple content strings.
+ while (/[\s;](?:uri)?content:\s*\"(.*?)\"\s*;/g) {
+ push @{$fwsnort_sigs{$sid}{'content'}}, $1;
}
- }
- next RULE unless defined $fwsnort_sigs{$sid}{'msg'}
+ while (/[\s;]reference:\s*(.*?)\s*;/g) {
+ my $ref = $1;
+ if ($ref =~ /^(\w+),(\S+)/) {
+ ### reference:bugtraq,9732;
+ push @{$fwsnort_sigs{$sid}{'reference'}{lc($1)}}, $2;
+ }
+ }
+
+ next unless defined $fwsnort_sigs{$sid}{'msg'}
and defined $fwsnort_sigs{$sid}{'classtype'}
and defined $fwsnort_sigs{$sid}{'content'};
+ }
+
+ close R;
}
}
@@ -5606,7 +5611,10 @@ sub scan_logr() {
&scan_logr_signatures($src, $dst, $fh, $log_sigs);
### write a scan message to syslog
- my $syslog_str = "scan detected ($nmap_scan_style_str): $src -> $dst";
+ my $syslog_str = 'scan detected ';
+ $syslog_str .= "($nmap_scan_style_str): "
+ if $nmap_scan_style_str ne 'Nmap';
+ $syslog_str .= "$src -> $dst";
$syslog_str .= " $syslog_range" if $syslog_range;
$syslog_str .= " tcp pkts: $tcp_newpkts" if $tcp_newpkts;
$syslog_str .= " udp pkts: $udp_newpkts" if $udp_newpkts;
View
@@ -486,6 +486,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;

0 comments on commit bd89cfb

Please sign in to comment.