Permalink
Browse files

Bug fix for NetAddr::IP usage in --analysis-fields IP search mode

Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
The bug was reported by Gregorio Narvaez, and looked like this:

  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
  128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.

Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode.
  • Loading branch information...
1 parent 30120fb commit ff46fe12b238b7f7b63b2f31345bb6a8f99f7efe @mrash committed Nov 21, 2012
Showing with 289 additions and 15 deletions.
  1. +18 −0 ChangeLog
  2. +45 −14 psad
  3. +6 −0 psad.8
  4. +24 −0 test/install.answers
  5. +196 −1 test/test-psad.pl
View
@@ -1,3 +1,21 @@
+psad-2.2.1 (11/24/2012):
+ - Bug fix in --Analyze mode when IP fields are to be searched with the
+ --analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
+ The bug was reported by Gregorio Narvaez, and looked like this:
+
+ Use of uninitialized value $_[0] in length at
+ ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+ ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
+ Use of uninitialized value $_[0] in length at
+ ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+ ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
+ Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
+ 128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+ ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.
+
+ - Added --stdin argument to allow psad to collect iptables log data from
+ STDIN in --Analyze mode.
+
psad-2.2 (02/20/2012):
- Added support for detection of malicious traffic that is delivered via
IPv6. This is accomplished by parsing ip6tables log messages - these are
View
59 psad
@@ -393,6 +393,7 @@ my $csv_end_line = 0;
my $csv_regex = '';
my $csv_neg_regex = '';
my $csv_have_timestamp = 0;
+my $pkts_from_stdin = 0;
my $dump_ipt_policy = 0;
my $fw_include_ips = 0;
my $benchmark = 0;
@@ -1925,7 +1926,7 @@ sub parse_NF_pkt_str() {
### we are looking to analyze packets from a specific IP/subnet
if ($pkt_hr->{'is_ipv6'}) {
if ($restrict_ip->version() == 6) {
- return $PKT_IGNORE unless
+ return $PKT_IGNORE unless
$pkt_hr->{'s_obj'}->within($restrict_ip) or
$pkt_hr->{'d_obj'}->within($restrict_ip);
}
@@ -7194,13 +7195,20 @@ sub analysis_mode() {
}
print "[+] Entering analysis mode. Parsing $fw_data_file\n";
- open MSGS, "< $fw_data_file" or die "[*] Could not open ",
- "$fw_data_file: $!";
- my @lines = <MSGS>;
- close MSGS;
+ my $fh = '';
+ if ($pkts_from_stdin) {
+ $fh = *STDIN;
+ } else {
+ open MSGS, "< $fw_data_file" or die "[*] Could not open ",
+ "$fw_data_file: $!";
+ $fh = *MSGS;
+ }
my @ipt_msgs = ();
my $pkt_ctr = 0;
- PKT: for my $line (@lines) {
+ my $line_ctr = 0;
+ PKT: while (<$fh>) {
+ my $line = $_;
+ $line_ctr++;
if ($num_packets > 0) {
last PKT if $pkt_ctr >= $num_packets;
}
@@ -7223,8 +7231,10 @@ sub analysis_mode() {
}
}
}
- print "[+] Found ", ($#ipt_msgs+1), " iptables log messages out of ",
- ($#lines+1), " total lines.\n";
+ close $fh unless $pkts_from_stdin;
+
+ print "[+] Found ", ($#ipt_msgs+1), " iptables log messages out of " .
+ "$line_ctr total lines.\n";
print " This may take a while...\n" if $#ipt_msgs > 15000;
### analyze all packets
@@ -7278,18 +7288,20 @@ sub ipt_match_criteria() {
return [], '' unless $pkt_hr->{$tok} =~ m|$match_hr->{'re'}|;
}
} elsif (defined $match_hr->{'net'} or defined $match_hr->{'ip'}) {
+ my $net_or_ip_key = 'ip_obj';
+ $net_or_ip_key = 'net_obj' if defined $match_hr->{'net'};
if ($pkt_hr->{$tok} =~ m|$ipv4_re|
or $pkt_hr->{$tok} =~ m|$ipv6_re|) {
my $ip_match_obj = '';
if ($tok eq 'src') {
$ip_match_obj = $pkt_hr->{'s_obj'};
} elsif ($tok eq 'dst') {
- $ip_match_obj = $pkt_hr->{'s_obj'};
+ $ip_match_obj = $pkt_hr->{'d_obj'};
}
if ($match_hr->{'negate'}) {
- return [], '' if $ip_match_obj->within($match_hr->{'net'});
+ return [], '' if $ip_match_obj->within($match_hr->{$net_or_ip_key});
} else {
- return [], '' unless $ip_match_obj->within($match_hr->{'net'});
+ return [], '' unless $ip_match_obj->within($match_hr->{$net_or_ip_key});
}
} else {
return [], '';
@@ -7413,7 +7425,7 @@ sub csv_mode() {
}
}
}
- close MSGS;
+ close $fh unless $csv_stdin;
}
if ($gnuplot_mode) {
@@ -8113,6 +8125,7 @@ sub csv_tokens() {
die "[*] $tok_str requires a search criteria in -A mode.";
}
}
+ $search =~ s/\,$//;
if ($token eq 'timestamp') {
$csv_have_timestamp = 1;
}
@@ -8195,10 +8208,27 @@ sub csv_tokens() {
$search_hsh{'str'} = $1;
} elsif ($search =~ m|^$ipv4_re/$ipv4_re$|) {
$search_hsh{'net'} = $search;
+ $search_hsh{'net_obj'} = new NetAddr::IP($search)
+ or die "[*] NetAddr::IP($search) error";
} elsif ($search =~ m|^$ipv4_re/\d+$|) {
$search_hsh{'net'} = $search;
+ $search_hsh{'net_obj'} = new NetAddr::IP($search)
+ or die "[*] NetAddr::IP($search) error";
} elsif ($search =~ m|^$ipv4_re$|) {
$search_hsh{'ip'} = $search;
+ $search_hsh{'ip_obj'} = new NetAddr::IP($search)
+ or die "[*] NetAddr::IP($search) error";
+ } elsif ($search =~ m|\:|) {
+ ### see if this is an IPv6 address
+ if ($search =~ m|\/|) {
+ $search_hsh{'net'} = $search;
+ $search_hsh{'net_obj'} = new6 NetAddr::IP($search)
+ or die "[*] NetAddr::IP($search) error";
+ } else {
+ $search_hsh{'net'} = $search;
+ $search_hsh{'net_obj'} = new6 NetAddr::IP($search)
+ or die "[*] NetAddr::IP($search) error";
+ }
} else {
die "[*] Unrecognized value for $token";
}
@@ -9825,7 +9855,7 @@ sub get_scale_factor() {
$val = 50000;
}
}
- $val++ if $val == 0;
+ $val++;
return $val;
}
@@ -10509,7 +10539,8 @@ sub getopt_wrapper() {
'analysis-fields=s' => \$analysis_fields, # Place a criteria on various fields
# that are parsed from an iptables
# logfile.
- 'analyze-fields=s' => \$analysis_fields,
+ 'analyze-fields=s' => \$analysis_fields, # Synonym.
+ 'stdin' => \$pkts_from_stdin,
'whois-analysis' => \$analysis_whois, # Issue whois lookups in analysis
# mode.
'dns-analysis' => \$enable_analysis_dns, # Issue DNS lookups in -A mode.
View
6 psad.8
@@ -82,6 +82,12 @@ to point psad at your
.I /var/log/messages
file.
.TP
+.BR \-\^\-analysis-fields\ \<search\ fields>
+In --Analyze mode restrict analysis to iptables log messages that have specific
+values for particular fields. Examples include "SRC:1.2.3.4", "DST:10.0.0.0/24,
+and "TTL:64", and multiple fields are supported as a comma-separated list like
+"SRC:1.2.3.4, LEN:44, DST:10.0.0.0/24".
+.TP
.BR \-i "\fR,\fP " \-\^\-interface\ \<interface>
Specify the interface that
.B psad
View
@@ -0,0 +1,24 @@
+Would you like to merge the config from the existing psad installation: y;
+Preserve any user modfications in etc psad signatures: y;
+Preserve any user modfications in etc psad icmp_types: y;
+Preserve any user modfications in etc psad icmp6_types: y;
+Preserve any user modfications in etc psad posf: y;
+Preserve any user modfications in etc psad auto_dl: y;
+Preserve any user modfications in etc psad snort_rule_dl: y;
+Preserve any user modfications in etc psad pf os: y;
+Preserve any user modfications in etc psad ip_options: y;
+Would you like alerts sent to a different address: n;
+Email addresses: root@localhost;
+Would you like psad to only parse specific strings in iptables messages: n;
+First is it ok to leave the HOME_NET setting as any: y;
+Would you like to enable DShield alerts: n;
+Would you like to install the latest signatures from http www cipherdyne org psad signatures: n;
+Enable psad at boot time: n;
+Preserve any user modfications in home mbr git psad git test psad install etc psad signatures: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad icmp_types: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad icmp6_types: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad posf: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad auto_dl: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad snort_rule_dl: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad pf os: y;
+Preserve any user modfications in home mbr git psad git test psad install etc psad ip_options: y;
Oops, something went wrong.

0 comments on commit ff46fe1

Please sign in to comment.