(Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases in IGNORE_IN...
authorMichael Rash <mbr@cipherdyne.org>
Sat, 8 Feb 2014 17:28:22 +0000 (12:28 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Sat, 8 Feb 2014 17:28:22 +0000 (12:28 -0500)
This fixes issue #8 on github.

CREDITS
ChangeLog
psad
test/conf/ignore_intf.conf [new file with mode: 0644]
test/test-psad.pl

diff --git a/CREDITS b/CREDITS
index a047a83..ec5a85a 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -507,3 +507,7 @@ Gusta-BH
 Tim Kramer
     - Provided guidance on getting psad to be compatible with the upstart init
       daemon on RHEL systems.  This effort was tracked via issue #12 on github.
+
+Wolfgang Breyha
+    - Submitted a patch to allow VLAN interfaces and interface aliases in
+      IGNORE_INTERFACES.  This fixes issue #8 on github.
index 5916755..135225f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,8 @@ psad-2.2.3 (//2014):
       addition, a new init script located at init-scripts/upstart/psad has
       been added that is compatible with upstart - this script is meant to be
       copied to the /etc/init.d/ directory.
+    - (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface aliases
+      in IGNORE_INTERFACES.  This fixes issue #8 on github.
 
 psad-2.2.2 (01/13/2014):
     - Added detection for Errata Security's "Masscan" port scanner that was
diff --git a/psad b/psad
index 1ac1274..043ae77 100755 (executable)
--- a/psad
+++ b/psad
@@ -789,8 +789,7 @@ MAIN: for (;;) {
 
     if ($hup_flag) {
 
-        &sys_log('received HUP signal, ' .
-            're-importing psad.conf');
+        &sys_log('received HUP signal, re-importing psad.conf');
 
         print STDERR "[+] Received HUP signal, re-importing config...\n"
             if $debug;
@@ -3863,7 +3862,7 @@ sub parse_ignore_interfaces() {
 
     my @interfaces = split /\s*,\s*/, $config{'IGNORE_INTERFACES'};
     for my $intf (@interfaces) {
-        if ($intf =~ /\W/) {
+        if ($intf !~ /^[\w.:]+$/) {
             &sys_log('invalid interface in IGNORE_INTERFACES var');
         } else {
             $ignore_interfaces{$intf} = '';
diff --git a/test/conf/ignore_intf.conf b/test/conf/ignore_intf.conf
new file mode 100644 (file)
index 0000000..13ae3d4
--- /dev/null
@@ -0,0 +1,188 @@
+EMAIL_ADDRESSES             root@localhost;
+HOSTNAME                    _CHANGEME_;
+HOME_NET                    any;
+EXTERNAL_NET                any;
+FW_SEARCH_ALL               Y;
+FW_MSG_SEARCH               DROP;
+SYSLOG_DAEMON               syslogd;
+IFCFGTYPE                   ifconfig;
+DANGER_LEVEL1               5;    ### Number of packets.
+DANGER_LEVEL2               15;
+DANGER_LEVEL3               150;
+DANGER_LEVEL4               1500;
+DANGER_LEVEL5               10000;
+CHECK_INTERVAL              5;
+SNORT_SID_STR               SID;
+ENABLE_PSADWATCHD           Y;
+PORT_RANGE_SCAN_THRESHOLD   1;
+PROTOCOL_SCAN_THRESHOLD     5;
+ENABLE_PERSISTENCE          Y;
+SCAN_TIMEOUT                3600;  ### seconds
+PERSISTENCE_CTR_THRESHOLD   5;
+MAX_SCAN_IP_PAIRS           0;
+SHOW_ALL_SIGNATURES         N;
+ALERTING_METHODS            nomail;
+ENABLE_SYSLOG_FILE          Y;
+IPT_WRITE_FWDATA            Y;
+IPT_SYSLOG_FILE             /var/log/messages;
+ENABLE_SIG_MSG_SYSLOG       Y;
+SIG_MSG_SYSLOG_THRESHOLD    10;
+SIG_SID_SYSLOG_THRESHOLD    10;
+EXPECT_TCP_OPTIONS          Y;
+MAX_HOPS                    20;
+IGNORE_KERNEL_TIMESTAMP     Y;
+IGNORE_CONNTRACK_BUG_PKTS   Y;
+IGNORE_PORTS                NONE;
+IGNORE_PROTOCOLS            NONE;
+IGNORE_INTERFACES           eth1, eth0.1;
+IGNORE_LOG_PREFIXES         NONE;
+MIN_DANGER_LEVEL            1;
+EMAIL_ALERT_DANGER_LEVEL    1;
+ENABLE_IPV6_DETECTION       Y;
+ENABLE_INTF_LOCAL_NETS      Y;
+ENABLE_MAC_ADDR_REPORTING   N;
+ENABLE_FW_LOGGING_CHECK     Y;
+EMAIL_LIMIT                 0;
+ENABLE_EMAIL_LIMIT_PER_DST  N;
+EMAIL_LIMIT_STATUS_MSG      Y;
+EMAIL_THROTTLE              0;
+ALERT_ALL                   Y;
+IMPORT_OLD_SCANS            N;
+SYSLOG_IDENTITY             psad;
+SYSLOG_FACILITY             LOG_LOCAL7;
+SYSLOG_PRIORITY             LOG_INFO;
+TOP_PORTS_LOG_THRESHOLD     500;
+STATUS_PORTS_THRESHOLD      20;
+TOP_SIGS_LOG_THRESHOLD      500;
+STATUS_SIGS_THRESHOLD       50;
+TOP_IP_LOG_THRESHOLD        500;
+STATUS_IP_THRESHOLD         25;
+TOP_SCANS_CTR_THRESHOLD     1;
+ENABLE_DSHIELD_ALERTS       N;
+DSHIELD_ALERT_EMAIL         reports@dshield.org;
+DSHIELD_ALERT_INTERVAL      6;  ### hours
+DSHIELD_USER_ID             0;
+DSHIELD_USER_EMAIL          NONE;
+DSHIELD_DL_THRESHOLD        0;
+HTTP_SERVERS                $HOME_NET;
+SMTP_SERVERS                $HOME_NET;
+DNS_SERVERS                 $HOME_NET;
+SQL_SERVERS                 $HOME_NET;
+TELNET_SERVERS              $HOME_NET;
+AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
+HTTP_PORTS                  80;
+SHELLCODE_PORTS             !80;
+ORACLE_PORTS                1521;
+ENABLE_SNORT_SIG_STRICT     Y;
+ENABLE_AUTO_IDS             N;
+AUTO_IDS_DANGER_LEVEL       5;
+AUTO_BLOCK_TIMEOUT          3600;
+AUTO_BLOCK_DL1_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
+AUTO_BLOCK_DL2_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
+AUTO_BLOCK_DL3_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
+AUTO_BLOCK_DL4_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
+AUTO_BLOCK_DL5_TIMEOUT      0;   ### permanent
+ENABLE_AUTO_IDS_REGEX       N;
+AUTO_BLOCK_REGEX            ESTAB;  ### from fwsnort logging prefixes
+ENABLE_RENEW_BLOCK_EMAILS   N;
+ENABLE_AUTO_IDS_EMAILS      Y;
+IPTABLES_BLOCK_METHOD       Y;
+IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
+IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
+IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
+FLUSH_IPT_AT_INIT           Y;
+IPTABLES_PREREQ_CHECK       1;
+TCPWRAPPERS_BLOCK_METHOD    N;
+WHOIS_TIMEOUT               60;  ### seconds
+WHOIS_LOOKUP_THRESHOLD      20;
+ENABLE_WHOIS_FORCE_ASCII    N;
+ENABLE_WHOIS_FORCE_SRC_IP   N;
+DNS_LOOKUP_THRESHOLD        20;
+ENABLE_EXT_SCRIPT_EXEC      N;
+EXTERNAL_SCRIPT             /bin/true;
+EXEC_EXT_SCRIPT_PER_ALERT   N;
+DISK_CHECK_INTERVAL         300;  ### seconds
+DISK_MAX_PERCENTAGE         95;
+DISK_MAX_RM_RETRIES         10;
+ENABLE_SCAN_ARCHIVE         N;
+TRUNCATE_FWDATA             Y;
+MIN_ARCHIVE_DANGER_LEVEL    1;
+MAIL_ALERT_PREFIX           [psad-alert];
+MAIL_STATUS_PREFIX          [psad-status];
+MAIL_ERROR_PREFIX           [psad-error];
+MAIL_FATAL_PREFIX           [psad-fatal];
+SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;
+PSADWATCHD_CHECK_INTERVAL   5;  ### seconds
+PSADWATCHD_MAX_RETRIES      10;
+INSTALL_ROOT                psad-install;
+PSAD_DIR                    $INSTALL_ROOT/var/log/psad;
+PSAD_RUN_DIR                $INSTALL_ROOT/var/run/psad;
+PSAD_FIFO_DIR               $INSTALL_ROOT/var/lib/psad;
+PSAD_LIBS_DIR               $INSTALL_ROOT/usr/lib/psad;
+PSAD_CONF_DIR               $INSTALL_ROOT/etc/psad;
+PSAD_ERR_DIR                $PSAD_DIR/errs;
+CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
+SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
+ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
+SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
+FW_DATA_FILE                $PSAD_DIR/fwdata;
+ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;
+FW_CHECK_FILE               $PSAD_DIR/fw_check;
+DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;
+SIGS_FILE                   $PSAD_CONF_DIR/signatures;
+PROTOCOLS_FILE              $PSAD_CONF_DIR/protocols;
+ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;
+ICMP6_TYPES_FILE            $PSAD_CONF_DIR/icmp6_types;
+AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;
+SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;
+POSF_FILE                   $PSAD_CONF_DIR/posf;
+P0F_FILE                    $PSAD_CONF_DIR/pf.os;
+IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;
+PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;
+ETC_HOSTS_DENY_FILE         /etc/hosts.deny;
+ETC_SYSLOG_CONF             /etc/syslog.conf;
+ETC_RSYSLOG_CONF            /etc/rsyslog.conf;
+ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
+ETC_METALOG_CONF            /etc/metalog/metalog.conf;
+STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;
+ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;
+INSTALL_LOG_FILE            $PSAD_DIR/install.log;
+PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;
+PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;
+KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;
+PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
+AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
+AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
+AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
+FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;
+PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;
+PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
+PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;
+TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;
+TOP_SIGS_FILE               $PSAD_DIR/top_sigs;
+TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;
+DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;
+IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;
+IPT_OUTPUT_FILE             $PSAD_DIR/psad.iptout;
+IPT_ERROR_FILE              $PSAD_DIR/psad.ipterr;
+iptablesCmd      /sbin/iptables;
+ip6tablesCmd     /sbin/ip6tables;
+shCmd            /bin/sh;
+wgetCmd          /usr/bin/wget;
+gzipCmd          /bin/gzip;
+mknodCmd         /bin/mknod;
+psCmd            /bin/ps;
+mailCmd          /bin/mail;
+sendmailCmd      /usr/sbin/sendmail;
+ifconfigCmd      /sbin/ifconfig;
+ipCmd            /sbin/ip;
+killallCmd       /usr/bin/killall;
+netstatCmd       /bin/netstat;
+unameCmd         /bin/uname;
+whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
+dfCmd            /bin/df;
+fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;
+psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;
+kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;
+psadCmd          $INSTALL_ROOT/usr/sbin/psad;
index 0bbaf33..5738164 100755 (executable)
@@ -45,6 +45,7 @@ my $cmd_out_tmp    = 'cmd.out';
 my $default_conf   = "$conf_dir/default_psad.conf";
 my $ignore_udp_conf = "$conf_dir/ignore_udp.conf";
 my $ignore_tcp_conf = "$conf_dir/ignore_tcp.conf";
+my $ignore_intf_conf = "$conf_dir/ignore_intf.conf";
 my $auto_blocking_conf = "$conf_dir/auto_blocking.conf";
 my $auto_dl5_blocking_conf = "$conf_dir/auto_min_dl5_blocking.conf";
 my $require_prefix_conf = "$conf_dir/require_DROP_syslog_prefix_str.conf";
@@ -773,6 +774,18 @@ my @tests = (
     },
     {
         'category'  => 'operations',
+        'detail'    => 'psad.conf ignore eth1 traffic',
+        'err_msg'   => 'did not ignore eth1 traffic',
+        'negative_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],
+        'match_all' => $MATCH_ALL_RE,
+        'function'  => \&generic_exec,
+        'cmdline'   => "$psadCmd --test-mode -A --analysis-write-data --auto-dl $dl5_ipv4_auto_dl_file " .
+                "-m $scans_dir/" .  &fw_type() . "/$syn_scan_file -c $ignore_intf_conf $normal_root_override_str",
+        'exec_err'  => $NO,
+        'fatal'     => $NO
+    },
+    {
+        'category'  => 'operations',
         'detail'    => 'psad.conf require DROP prefix',
         'err_msg'   => 'did not find DROP prefix logs',
         'positive_output_matches' => [qr/SRC\:\s+192\.168\.10\.55/],