Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: mrash/psad
base: 4354822524
...
head fork: mrash/psad
compare: 10e1418f3a
Checking mergeability… Don't worry, you can still create the pull request.
  • 2 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Commits on Mar 24, 2012
@mrash added IPv6 exclusion test for Snort MS SQl Server communication attem…
…pt signature
029059c
Commits on Mar 25, 2012
@mrash Minor compiler warning bug fix for OpenBSD systems.
Compiling psad *.c files on OpenBSD issued the following warning before this fix:

/usr/bin/gcc -Wall -O psadwatchd.c psad_funcs.c strlcpy.c strlcat.c -o psadwatchd
psad_funcs.c: In function 'send_alert_email':
psad_funcs.c:325: warning: missing sentinel in function call
10e1418
Showing with 65 additions and 1 deletion.
  1. +1 −1  psad_funcs.c
  2. +64 −0 test/test-psad.pl
View
2  psad_funcs.c
@@ -321,7 +321,7 @@ void send_alert_email(const char *shCmd, const char *mailCmd,
else if (child_pid > 0)
wait(NULL); /* mail better work */
else
- execle(shCmd, shCmd, "-c", mail_line, NULL, NULL); /* don't use env */
+ execle(shCmd, shCmd, "-c", mail_line, (char *)NULL, (char *)NULL); /* don't use env */
return;
}
View
64 test/test-psad.pl
@@ -17,6 +17,9 @@
my $null_scan_file = 'null_scan_1000_1150';
my $ack_scan_file = 'ack_scan_1000_1150';
my $udp_scan_file = 'udp_scan_1000_1150';
+my $ms_sql_server_sig_match_file = 'ms_sql_server_sig_match';
+my $ipv6_ms_sql_server_sig_match_file = 'ipv6_ms_sql_server_sig_match';
+my $no_ms_sql_server_sig_match_file = "$conf_dir/signatures_no_ms_sql_server_sig";
my $ipv6_connect_scan_file = 'ipv6_tcp_connect_nmap_default_scan';
my $ipv6_ping_scan_file = 'ipv6_ping_scan';
my $ipv6_invalid_icmp6_type_code_file = 'ipv6_invalid_icmp6_type_code';
@@ -198,6 +201,67 @@
},
{
'category' => 'operations',
+ 'detail' => 'IPv4 MS SQL Server communication attempt detection',
+ 'err_msg' => 'did not detect MS SQL Server attempt',
+ 'positive_output_matches' => [qr/Top\s\d+\sattackers/i,
+ qr/scanned\sports/i,
+ qr/IP\sstatus/i,
+ qr/SQL\sServer\scommunication/i,
+ qr/192\.168\.10\.55/],
+ 'match_all' => $MATCH_ALL_RE,
+ 'function' => \&generic_exec,
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ &fw_type() . "/$ms_sql_server_sig_match_file -c $default_conf",
+ 'exec_err' => $NO,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'operations',
+ 'detail' => 'IPv6 MS SQL Server communication attempt detection',
+ 'err_msg' => 'did not detect MS SQL Server attempt',
+ 'positive_output_matches' => [qr/Top\s\d+\sattackers/i,
+ qr/scanned\sports/i,
+ qr/IP\sstatus/i,
+ qr/SQL\sServer\scommunication/i,
+ qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
+ 'match_all' => $MATCH_ALL_RE,
+ 'function' => \&generic_exec,
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ &fw_type() . "/$ipv6_ms_sql_server_sig_match_file -c $default_conf",
+ 'exec_err' => $NO,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'operations',
+ 'detail' => 'IPv4 exclude MS SQL Server sig match',
+ 'err_msg' => 'logged MS SQL Server attempt',
+ 'negative_output_matches' => [
+ qr/SQL\sServer\scommunication/i],
+ 'match_all' => $MATCH_ALL_RE,
+ 'function' => \&generic_exec,
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ &fw_type() . "/$ms_sql_server_sig_match_file " .
+ "--signatures $no_ms_sql_server_sig_match_file -c $default_conf",
+ 'exec_err' => $NO,
+ 'fatal' => $NO
+ },
+ {
+ 'category' => 'operations',
+ 'detail' => 'IPv6 exclude MS SQL Server sig match',
+ 'err_msg' => 'logged MS SQL Server attempt',
+ 'negative_output_matches' => [
+ qr/SQL\sServer\scommunication/i],
+ 'match_all' => $MATCH_ALL_RE,
+ 'function' => \&generic_exec,
+ 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ &fw_type() . "/$ipv6_ms_sql_server_sig_match_file " .
+ "--signatures $no_ms_sql_server_sig_match_file -c $default_conf",
+ 'exec_err' => $NO,
+ 'fatal' => $NO
+ },
+
+ {
+ 'category' => 'operations',
'detail' => 'IPv4 FIN scan detection',
'err_msg' => 'did not detect FIN scan',
'positive_output_matches' => [qr/Top\s\d+\sattackers/i,

No commit comments for this range

Something went wrong with that request. Please try again.