my $OPTIONAL = 0;
my $MATCH_ALL_RE = 1;
my $MATCH_SINGLE_RE = 2;
+my $cmdline_fw_type = '';
my $help = 0;
+my @args_cp = @ARGV;
+
+exit 1 unless GetOptions(
+ 'psad-path=s' => \$psadCmd,
+ 'test-include=s' => \$test_include,
+ 'include=s' => \$test_include, ### synonym
+ 'test-exclude=s' => \$test_exclude,
+ 'exclude=s' => \$test_exclude, ### synonym
+ 'List-mode' => \$list_mode,
+ 'diff' => \$diff_mode,
+ 'firewall-type=s' => \$cmdline_fw_type,
+ 'help' => \$help
+);
+
+&usage() if $help;
+
+my $psad_def = "$psadCmd --test-mode --firewall-type ";
+if ($cmdline_fw_type) {
+ $psad_def .= $cmdline_fw_type;
+} else {
+ $psad_def .= &fw_type();
+}
+
my %test_keys = (
'category' => $REQUIRED,
'subcategory' => $OPTIONAL,
'detail' => 'config dump+validate',
'err_msg' => 'could not dump+validate config',
'function' => \&validate_config,
- 'cmdline' => "$psadCmd --test-mode -D -c $default_conf",
+ 'cmdline' => "$psad_def -D -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
qr/\biptables\b/, qr/\bip6tables\b/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode --fw-dump -c $default_conf",
+ 'cmdline' => "$psad_def --fw-dump -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
'positive_output_matches' => [qr/Listing\schains\sfrom\sIPT_AUTO_CHAIN/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode --fw-list-auto -c $default_conf",
+ 'cmdline' => "$psad_def --fw-list-auto -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
'positive_output_matches' => [qr/Parsing.*iptables/, qr/Parsing.*ip6tables/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode --fw-analyze -c $default_conf",
+ 'cmdline' => "$psad_def --fw-analyze -c $default_conf",
'exec_err' => $IGNORE,
'fatal' => $NO
},
'detail' => '--Status',
'err_msg' => 'could not get psad status',
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -S -c $default_conf",
+ 'cmdline' => "$psad_def -S -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
'detail' => '--Status --status-summary',
'err_msg' => 'could not get psad status summary',
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -S --status-summary -c $default_conf",
+ 'cmdline' => "$psad_def -S --status-summary -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
'positive_output_matches' => [qr/Next\savailable.*\s\d+/i],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode --get-next-rule-id -c $default_conf",
+ 'cmdline' => "$psad_def --get-next-rule-id -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
},
'positive_output_matches' => [qr/Entering\sbenchmark\smode/, qr/processing\stime\:\s\d+/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode --Benchmark --packets 1000 -c $default_conf",
+ 'cmdline' => "$psad_def --Benchmark --packets 1000 -c $default_conf",
'exec_err' => $IGNORE,
'fatal' => $NO
},
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ms_sql_server_sig_match_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_ms_sql_server_sig_match_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SQL\sServer\scommunication/i],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ms_sql_server_sig_match_file " .
"--signatures $no_ms_sql_server_sig_match_file -c $default_conf",
'exec_err' => $NO,
qr/SQL\sServer\scommunication/i],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_ms_sql_server_sig_match_file " .
"--signatures $no_ms_sql_server_sig_match_file -c $default_conf",
'exec_err' => $NO,
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$fin_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$xmas_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$null_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ack_scan_file -c $enable_ack_detection_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_udp " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/192\.168\.10\.55,\sDL\:\s5/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_subnet_auto_dl_file_tcp " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $ignore_tcp_conf",
'exec_err' => $NO,
'fatal' => $NO
'positive_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $require_prefix_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf FW_MSG_SEARCH trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$syn_scan_file -c $require_missing_prefix_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv4_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv4_subnet_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
+ 'cmdline' => "$psad_def -A --auto-dl $dl5_ipv4_auto_dl_file " . ### psad.conf IGNORE_PROTOCOLS trumps auto_dl
"-m $scans_dir/" . &fw_type() . "/$udp_scan_file -c $ignore_udp_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_connect_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_ping_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_invalid_icmp6_type_code_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:\s+192.168.10.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv4_valid_ping -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
qr/SRC\:\s+192.168.10.55/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv4_invalid_icmp6_type_code_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A -m $scans_dir/" .
+ 'cmdline' => "$psad_def -A -m $scans_dir/" .
&fw_type() . "/$ipv6_connect_scan_file -c $disable_ipv6_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv6_addr_auto_dl_file " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv6_addr_auto_dl_file " .
"-m $scans_dir/" . &fw_type() . "/$ipv6_connect_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
'negative_output_matches' => [qr/SRC\:.*2001\:DB8\:0\:F101\:\:2/],
'match_all' => $MATCH_ALL_RE,
'function' => \&generic_exec,
- 'cmdline' => "$psadCmd --test-mode -A --auto-dl $ignore_ipv6_addr_auto_dl_file_abbrev " .
+ 'cmdline' => "$psad_def -A --auto-dl $ignore_ipv6_addr_auto_dl_file_abbrev " .
"-m $scans_dir/" . &fw_type() . "/$ipv6_connect_scan_file -c $default_conf",
'exec_err' => $NO,
'fatal' => $NO
);
-my @args_cp = @ARGV;
-
-exit 1 unless GetOptions(
- 'psad-path=s' => \$psadCmd,
- 'test-include=s' => \$test_include,
- 'include=s' => \$test_include, ### synonym
- 'test-exclude=s' => \$test_exclude,
- 'exclude=s' => \$test_exclude, ### synonym
- 'List-mode' => \$list_mode,
- 'diff' => \$diff_mode,
- 'help' => \$help
-);
-
-&usage() if $help;
-
### make sure everything looks as expected before continuing
&init();
}
sub fw_type() {
- return 'iptables';
+ my $fw_type = '';
+
+ ### This function implements a set of simple heuristics to determine
+ ### the firewall type. Note that the user can always just set this
+ ### from the command line with --firewall-type
+
+ ### get OS output from uname
+ open UNAME, 'uname |' or die "[*] Could not execute 'uname', use ",
+ "--firewall-type.";
+ while (<UNAME>) {
+ if (/darwin/i) {
+ $fw_type = 'ipfw';
+ } elsif (/openbsd/i) {
+ $fw_type = 'pf';
+ } elsif (/bsd/i) {
+ $fw_type = 'ipfw';
+ } elsif (/linux/i) {
+ $fw_type = 'iptables';
+ }
+ last;
+ }
+ close UNAME;
+
+ return $fw_type;
}
sub write_test_file() {
projects / psad.git / commitdiff