reworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variabl...

diff --git a/psad b/psad
index 1083d10..f95e66b 100755 (executable)
--- a/psad
+++ b/psad
@@ -905,8 +905,6 @@ MAIN: for (;;) {
 
         ### log the top port and signature matches
         &log_top_scans();
-
-        $check_interval_ctr = 0;
     }
 
     ### Write the number of tcp/udp/icmp packets out
@@ -973,6 +971,19 @@ MAIN: for (;;) {
         $warn_msg = '';
     }
 
+    ### see if we need to timeout any old scans
+    if ($config{'ENABLE_PERSISTENCE'} eq 'N') {
+
+        my $do_timeout = 0;
+        if ($config{'PERSISTENCE_CTR_THRESHOLD'} == 0) {
+            $do_timeout = 1;
+        } elsif ($check_interval_ctr % $config{'PERSISTENCE_CTR_THRESHOLD'} == 0) {
+            $do_timeout = 1;
+        }
+
+        &delete_old_scans() if $do_timeout;
+    }
+
     $check_interval_ctr++;
 
     $fw_data_file_check_ctr++;
@@ -1146,16 +1157,6 @@ sub check_scan() {
             }
         }
 
-        ### see if we need to timeout any old scans
-        if ($config{'ENABLE_PERSISTENCE'} eq 'N') {
-            if (defined $scan{$pkt{'src'}}{$pkt{'dst'}}{'s_time'}) {
-                if ((time() - $scan{$pkt{'src'}}{$pkt{'dst'}}{'s_time'})
-                        >= $config{'SCAN_TIMEOUT'}) {
-                    delete $scan{$pkt{'src'}}{$pkt{'dst'}};
-                }
-            }
-        }
-
         ### record the absolute starting time of the scan
         unless (defined $scan{$pkt{'src'}}{$pkt{'dst'}}{'s_time'}) {
             if ($analyze_mode) {
@@ -2837,6 +2838,27 @@ sub add_fwsnort_sid() {
     return 0, $NO_SIG_MATCH;
 }
 
+sub delete_old_scans() {
+
+    my $current_time = time();
+
+    print STDERR "[+] delete_old_scans()\n" if $debug;
+
+    ### see if we need to timeout any old scans
+    for my $src (keys %scan) {
+        for my $dst (keys %{$scan{$src}}) {
+            next unless defined $scan{$src}{$dst}{'s_time'};
+            if (($current_time - $scan{$src}{$dst}{'s_time'})
+                    >= $config{'SCAN_TIMEOUT'}) {
+                print STDERR "    delete old scan $src -> $dst\n"
+                    if $debug;
+                delete $scan{$src}{$dst};
+            }
+        }
+    }
+    return;
+}
+
 sub dshield_email_log() {
     ### dshield alert interval is in hours.  Check to see if there are more
     ### than 10,000 lines of log data (and if the last alert was sent more than
@@ -10303,6 +10325,7 @@ sub required_vars() {
         ENABLE_SYSLOG_FILE IPT_SYSLOG_FILE IPT_WRITE_FWDATA
         ETC_RSYSLOG_CONF IFCFGTYPE ENABLE_WHOIS_FORCE_ASCII
         ENABLE_WHOIS_FORCE_SRC_IP ENABLE_IPV6_DETECTION
+        PERSISTENCE_CTR_THRESHOLD
     );
     &defined_vars(\@required_vars);
     return;

diff --git a/psad.conf b/psad.conf
index 8d3ce72..a95fd84 100644 (file)
--- a/psad.conf
+++ b/psad.conf
@@ -101,6 +101,13 @@ ENABLE_PERSISTENCE          Y;
 ### This is used only if ENABLE_PERSISTENCE = "N";
 SCAN_TIMEOUT                3600;  ### seconds
 
+### Specify how often to timeout old scan data relative to CHECK_INTERVAL
+### iterations.  This feature is only use if ENABLE_PERSISTENCE is disabled.
+### Note that for psad processes that have tracked a lot of scans, it is
+### advisable to leave this threshold at the default value of 5 or greater
+### because the scan tracking hash may be quite large.
+PERSISTENCE_CTR_THRESHOLD   5;
+
 ### If "Y", means all signatures will be shown since
 ### the scan started instead of just the current ones.
 SHOW_ALL_SIGNATURES         N;