Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

added --test-mode so that fw check emails are not sent, debug is enab…

…led, and is_local() always returns false
  • Loading branch information...
commit fae72b9b60cac8597b321f5aa780c839310a8c24 1 parent d485571
@mrash authored
Showing with 66 additions and 36 deletions.
  1. +8 −3 fwcheck_psad.pl
  2. +12 −1 psad
  3. +46 −32 test/test-psad.pl
View
11 fwcheck_psad.pl
@@ -46,6 +46,7 @@
my @fw_search = ();
my $help = 0;
+my $test_mode = 0;
my $fw_analyze = 0;
my $fw_file = '';
my $fw_search_all = 1;
@@ -64,6 +65,7 @@
'no-fw-search-all' => \$no_fw_search_all, # looking for specific log
# prefixes
'Lib-dir=s' => \$psad_lib_dir,# Specify path to psad lib directory.
+ 'test-mode' => \$test_mode, # Used by the test suite.
'help' => \$help, # Display help.
));
&usage(0) if $help;
@@ -155,14 +157,14 @@ ()
" it is possible your firewall config is compatible with psad anyway.\n";
}
- unless ($config{'ALERTING_METHODS'} =~ /no.?e?mail/i) {
+ unless ($config{'ALERTING_METHODS'} =~ /no.?e?mail/i or $test_mode) {
&send_mail("[psad-status] firewall setup warning on " .
"$config{'HOSTNAME'}!", $config{'FW_CHECK_FILE'},
$config{'EMAIL_ADDRESSES'},
$cmds{'mail'}
);
}
- if ($fw_analyze) {
+ if ($fw_analyze and not $test_mode) {
print "[-] Errors found in firewall config.\n";
print " emailed to ",
"$config{'EMAIL_ADDRESSES'}\n";
@@ -602,7 +604,10 @@ ()
--fw-analyze - Analyze the local iptables
ruleset and exit.
--no-fw-search-all - looking for specific log
- prefixes
+ prefixes.
+ --Lib-dir <dir> - Path to the psad lib directory.
+ --test-mode - Enable test mode (used by the
+ test suite).
--help - Display help.
_HELP_
View
13 psad
@@ -338,6 +338,7 @@ my $analysis_fields = '';
my $analysis_tokens_ar = [];
my $analysis_match_criteria_ar = [];
my $get_next_rule_id = 0;
+my $test_mode = 0;
my $syslog_server = 0;
my $kill = 0;
my $restart = 0;
@@ -3096,7 +3097,9 @@ sub psad_init() {
### turn off buffering
$| = 1;
- $no_syslog_alerts = 1 if $analyze_mode or $status_mode;
+ $no_syslog_alerts = 1 if $analyze_mode or $status_mode or $test_mode;
+ $no_email_alerts = 1 if $test_mode;
+ $debug = 1 if $test_mode;
### import any override config files first
&import_override_configs() if $override_config_str;
@@ -3497,6 +3500,11 @@ sub is_local() {
print STDERR "[+] is_local(): $ip..." if $debug;
+ if ($test_mode) {
+ print STDERR "(test mode enabled) no\n";
+ return 0;
+ }
+
my $found = 0;
for my $net (@local_nets) {
if ($ip_obj->within($net)) {
@@ -8214,6 +8222,7 @@ sub fw_analyze_mode() {
$opts .= " --fw-analyze" if $fw_analyze;
$opts .= " --fw-file $fw_file" if $fw_file;
$opts .= " -L $lib_dir" if $lib_dir;
+ $opts .= " --test-mode" if $test_mode;
$opts .= " --no-fw-search-all" if $config{'FW_SEARCH_ALL'} eq 'N';
$exit_status = (system "$cmds{'fwcheck_psad'} $opts") >> 8;
}
@@ -10476,6 +10485,8 @@ sub getopt_wrapper() {
# messages to error log.
'no-kmsgsd' => \$no_kmsgsd, # Do not start kmsgsd (used for
# debugging).
+ 'test-mode' => \$test_mode, # Enable test mode (used by the
+ # test suite).
'verbose' => \$verbose, # Verbose output (for both alerts
# and debug info).
'Version' => \$print_ver, # Print the psad version and exit.
View
78 test/test-psad.pl
@@ -20,6 +20,7 @@
my $ipv6_connect_scan_file = 'ipv6_tcp_connect_nmap_default_scan';
my $ignore_ipv4_auto_dl_file = "$conf_dir/auto_dl_ignore_192.168.10.55";
my $ignore_ipv4_subnet_auto_dl_file = "$conf_dir/auto_dl_ignore_192.168.10.0_24";
+my $ignore_ipv6_addr_auto_dl_file = "$conf_dir/auto_dl_ignore_ipv6_addr";
my $dl5_ipv4_auto_dl_file = "$conf_dir/auto_dl_5_192.168.10.55";
my $dl5_ipv4_subnet_auto_dl_file = "$conf_dir/auto_dl_5_192.168.10.0_24";
my $dl5_ipv4_subnet_auto_dl_file_tcp = "$conf_dir/auto_dl_5_192.168.10.0_24_tcp";
@@ -96,7 +97,7 @@
'detail' => 'config dump+validate',
'err_msg' => 'could not dump+validate config',
'function' => \&validate_config,
- 'cmdline' => "$psadCmd -D -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode -D -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -108,7 +109,7 @@
qr/\biptables\b/, qr/\bip6tables\b/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --fw-dump -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode --fw-dump -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -119,7 +120,7 @@
'positive_output_matches' => [qr/Listing\schains\sfrom\sIPT_AUTO_CHAIN/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --fw-list-auto -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode --fw-list-auto -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -130,7 +131,7 @@
'positive_output_matches' => [qr/Parsing.*iptables/, qr/Parsing.*ip6tables/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --fw-analyze -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode --fw-analyze -c $default_conf",
'exec_err' => $IGNORE,
'fatal' => $NO
},
@@ -139,7 +140,7 @@
'detail' => '--Status',
'err_msg' => 'could not get psad status',
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -S -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode -S -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -148,7 +149,7 @@
'detail' => '--Status --status-summary',
'err_msg' => 'could not get psad status summary',
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -S --status-summary -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode -S --status-summary -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -159,7 +160,7 @@
'positive_output_matches' => [qr/Next\savailable.*\s\d+/i],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --get-next-rule-id -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode --get-next-rule-id -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
@@ -170,7 +171,7 @@
'positive_output_matches' => [qr/Entering\sbenchmark\smode/, qr/processing\stime\:\s\d+/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --Benchmark --packets 1000 -c $default_conf",
+ 'cmdline' => "$psadCmd --test-mode --Benchmark --packets 1000 -c $default_conf",
'exec_err' => $IGNORE,
'fatal' => $NO
},
@@ -185,7 +186,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -201,7 +202,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$fin_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -217,7 +218,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$xmas_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -232,7 +233,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$null_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -247,7 +248,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$ack_scan_file -c $enable_ack_detection_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -262,7 +263,7 @@
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -278,7 +279,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -293,7 +294,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -308,7 +309,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -320,7 +321,7 @@
'negative_output_matches' => [qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -336,7 +337,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -351,7 +352,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -366,7 +367,7 @@
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -378,7 +379,7 @@
'negative_output_matches' => [qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -391,7 +392,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $ignore_ipv4_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -403,7 +404,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -415,7 +416,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $ignore_tcp_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -427,7 +428,7 @@
'positive_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $require_prefix_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -439,7 +440,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $require_missing_prefix_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -453,7 +454,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $ignore_ipv4_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -465,7 +466,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -477,7 +478,7 @@
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $ignore_udp_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -493,7 +494,7 @@
qr/2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$ipv6_connect_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
@@ -506,11 +507,24 @@
'negative_output_matches' => [qr/2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd -A -m $scans_dir/" .
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
&fw_type() . "/$ipv6_connect_scan_file -c $disable_ipv6_conf",
'exec_err' => $NO,
'fatal' => $NO
},
+ {
+ 'category' => 'operations',
+ 'detail' => 'ignore IPv6 connect() scan source',
+ 'err_msg' => 'logged IPv6 traffic',
+ 'positive_output_matches' => [qr/\[NONE\]/],
+ 'negative_output_matches' => [qr/2001\:DB8\:0\:F101\:\:2/],
+ 'match_all' => $MATCH_ALL_RE,
+ 'function' => \&generic_exec,
+ 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv6_addr_auto_dl_file " .
+ "-m $scans_dir/" . &fw_type() . "/$ipv6_connect_scan_file -c $default_conf",
+ 'exec_err' => $NO,
+ 'fatal' => $NO
+ },
);
Please sign in to comment.
Something went wrong with that request. Please try again.