Parse fwsnort rules for 'msg' fields
authorMichael Rash <mbr@cipherdyne.org>
Tue, 18 Dec 2012 04:05:56 +0000 (23:05 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Tue, 18 Dec 2012 04:05:56 +0000 (23:05 -0500)
Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set.  This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.

CREDITS
ChangeLog
psad
psad.conf
test/conf/default_psad.conf
test/conf/disable_ipv6_detection.conf
test/conf/enable_ack_detection.conf
test/conf/ignore_tcp.conf
test/conf/ignore_udp.conf
test/conf/require_DROP_syslog_prefix_str.conf
test/conf/require_missing_syslog_prefix_str.conf

diff --git a/CREDITS b/CREDITS
index 03d82dc..462de9b 100644 (file)
--- a/CREDITS
+++ b/CREDITS
@@ -479,3 +479,9 @@ Kat
 Gregorio Narvaez
     - Reported a NetAddr::IP usage bug in "-A --analysis-fields" mode with IP
       searches.
+
+Pui Edylie
+    - Reported a problem where psad could not map an fwsnort log message back
+      to the corresponding Snort 'msg' field.  Added the FWSNORT_RULES_DIR
+      variable to have psad read Snort rules from any installed fwsnort
+      instance.
index 8b357eb..e18e53b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,12 @@ psad-2.2.1 (12//2012):
 
       # grep "IN=.*OUT=" /var/log/kern.log | psad -A --stdin
 
+    - Added the ability to acquire Snort rule 'msg' fields from fwsnort if
+      it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
+      to look for the fwsnort rule set.  This fixes a problem reported by Pui
+      Edylie to the psad mailing list where fwsnort logged an attack that psad
+      could not map back to a descriptive 'msg' field.
+
 psad-2.2 (02/20/2012):
     - Added support for detection of malicious traffic that is delivered via
       IPv6.  This is accomplished by parsing ip6tables log messages - these are
diff --git a/psad b/psad
index 07dcb23..b4a74b3 100755 (executable)
--- a/psad
+++ b/psad
@@ -3835,67 +3835,72 @@ sub import_snort_rules() {
 
     %fwsnort_sigs = ();
 
-    opendir D, $config{'SNORT_RULES_DIR'}
-        or die "[*] Could not open $config{'SNORT_RULES_DIR'}";
-    my @rfiles = readdir D;
-    closedir D;
+    for my $dir ($config{'SNORT_RULES_DIR'},
+            $config{'FWSNORT_RULES_DIR'}) {
+        next unless -d $dir;
 
-    FILE: for my $rfile (@rfiles) {
-        next FILE unless $rfile =~ /\.rules$/;
-        if ($srules_type) {
-            next FILE unless $rfile =~ /^${srules_type}\.rules$/;
-        }
-        my ($type) = ($rfile =~ /(\w+)\.rules/);
-        open R, "< ${config{'SNORT_RULES_DIR'}}/${rfile}" or
-            die "[*] Could not open: ${srules_type}/${rfile}";
-        my @lines = <R>;
-        close R;
-        RULE: for my $line (@lines) {
-            next RULE unless $line =~ /^\s*alert/;
-            chomp $line;
+        opendir D, $dir or die "[*] Could not open $dir: $!";
+        my @rfiles = readdir D;
+        closedir D;
 
-            my $sid;  ### snort rule id
-            if ($line =~ /[\s;]sid:\s*(\d+)\s*;/) {
-                $sid = $1;
-            } else {
-                next RULE;
+        FILE: for my $rfile (@rfiles) {
+            next FILE unless $rfile =~ /\.rules$/;
+            if ($srules_type) {
+                next FILE unless $rfile =~ /^${srules_type}\.rules$/;
             }
+            my ($type) = ($rfile =~ /(\w+)\.rules/);
 
-            $fwsnort_sigs{$sid}{'msg'} = $1
-                if $line =~ /msg:\s*\"(.*?)\"\s*;/;
-            $fwsnort_sigs{$sid}{'is_psad_id'} = 0;
+            open R, "< $dir/${rfile}" or
+                die "[*] Could not open: ${srules_type}/${rfile}";
 
-            if ($line =~ /^\s*alert\s+(\w+)/) {
-                $fwsnort_sigs{$sid}{'proto'} = lc($1);
-            }
+            while (<R>) {
+                next unless /^\s*alert/;
 
-            if ($line =~ /[\s;]classtype:\s*(.*?)\s*;/) {
-                $fwsnort_sigs{$sid}{'classtype'} = $1;
-            } else {
-                $fwsnort_sigs{$sid}{'classtype'} = '';
-            }
+                my $sid;  ### snort rule id
+                if (/[\s;]sid:\s*(\d+)\s*;/) {
+                    $sid = $1;
+                } else {
+                    next;
+                }
 
-            $fwsnort_sigs{$sid}{'priority'} = &convert_snort_priority($1)
-                if $line =~ /[\s;]priority:\s*(\d+)\s*;/;
+                $fwsnort_sigs{$sid}{'msg'} = $1
+                    if /msg:\s*\"(.*?)\"\s*;/;
+                $fwsnort_sigs{$sid}{'is_psad_id'} = 0;
 
-            ### import multiple content fields; someone could have built
-            ### a series of custom iptables chains in order to detect
-            ### multiple content strings.
-            while ($line =~ /[\s;](?:uri)?content:\s*\"(.*?)\"\s*;/g) {
-                push @{$fwsnort_sigs{$sid}{'content'}}, $1;
-            }
+                if (/^\s*alert\s+(\w+)/) {
+                    $fwsnort_sigs{$sid}{'proto'} = lc($1);
+                }
 
-            while ($line =~ /[\s;]reference:\s*(.*?)\s*;/g) {
-                my $ref = $1;
-                if ($ref =~ /^(\w+),(\S+)/) {
-                    ### reference:bugtraq,9732;
-                    push @{$fwsnort_sigs{$sid}{'reference'}{lc($1)}}, $2;
+                if (/[\s;]classtype:\s*(.*?)\s*;/) {
+                    $fwsnort_sigs{$sid}{'classtype'} = $1;
+                } else {
+                    $fwsnort_sigs{$sid}{'classtype'} = '';
+                }
+
+                $fwsnort_sigs{$sid}{'priority'} = &convert_snort_priority($1)
+                    if /[\s;]priority:\s*(\d+)\s*;/;
+
+                ### import multiple content fields; someone could have built
+                ### a series of custom iptables chains in order to detect
+                ### multiple content strings.
+                while (/[\s;](?:uri)?content:\s*\"(.*?)\"\s*;/g) {
+                    push @{$fwsnort_sigs{$sid}{'content'}}, $1;
                 }
-            }
 
-            next RULE unless defined $fwsnort_sigs{$sid}{'msg'}
+                while (/[\s;]reference:\s*(.*?)\s*;/g) {
+                    my $ref = $1;
+                    if ($ref =~ /^(\w+),(\S+)/) {
+                        ### reference:bugtraq,9732;
+                        push @{$fwsnort_sigs{$sid}{'reference'}{lc($1)}}, $2;
+                    }
+                }
+
+                next unless defined $fwsnort_sigs{$sid}{'msg'}
                     and defined $fwsnort_sigs{$sid}{'classtype'}
                     and defined $fwsnort_sigs{$sid}{'content'};
+            }
+
+            close R;
         }
     }
 
@@ -5606,7 +5611,10 @@ sub scan_logr() {
             &scan_logr_signatures($src, $dst, $fh, $log_sigs);
 
             ### write a scan message to syslog
-            my $syslog_str = "scan detected ($nmap_scan_style_str): $src -> $dst";
+            my $syslog_str = 'scan detected ';
+            $syslog_str .= "($nmap_scan_style_str): "
+                if $nmap_scan_style_str ne 'Nmap';
+            $syslog_str .= "$src -> $dst";
             $syslog_str .= " $syslog_range" if $syslog_range;
             $syslog_str .= " tcp pkts: $tcp_newpkts" if $tcp_newpkts;
             $syslog_str .= " udp pkts: $udp_newpkts" if $udp_newpkts;
index 9402a5c..ee144fe 100644 (file)
--- a/psad.conf
+++ b/psad.conf
@@ -486,6 +486,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index d391acc..6ba4c25 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index 6d5e08e..9afa3c6 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index 450955d..e27a1c0 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index 331ce94..d229131 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index 46d2998..51e3653 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index b0e8804..a871525 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;
index 89ae0d1..eeb8479 100644 (file)
@@ -484,6 +484,7 @@ CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
 SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
 ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
 SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
+FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
 
 ### Files
 FW_DATA_FILE                $PSAD_DIR/fwdata;