psad.git
2 years agoMerge branch 'master' into openbsd_integration openbsd_integration
Michael Rash [Tue, 12 Jun 2012 00:56:34 +0000]
Merge branch 'master' into openbsd_integration

2 years agominor comment wording update w.r.t. SYSLOG_DAEMON usage
Michael Rash [Tue, 12 Jun 2012 00:56:19 +0000]
minor comment wording update w.r.t. SYSLOG_DAEMON usage

2 years agoINSTALL_ROOT resolution bug fix (found by Kat)
Michael Rash [Tue, 12 Jun 2012 00:55:50 +0000]
INSTALL_ROOT resolution bug fix (found by Kat)

2 years agoMerge branch 'master' into openbsd_integration
Michael Rash [Sun, 27 May 2012 01:31:45 +0000]
Merge branch 'master' into openbsd_integration

2 years agoremoved legacy psadwatchd.conf file references
Michael Rash [Sun, 27 May 2012 01:30:50 +0000]
removed legacy psadwatchd.conf file references

2 years agomerged in --Use-answer options
Michael Rash [Sat, 21 Apr 2012 02:20:44 +0000]
merged in --Use-answer options

2 years agobumped version to 2.2
Michael Rash [Sat, 21 Apr 2012 02:18:58 +0000]
bumped version to 2.2

2 years agoAdded install.answers.example file to illustrate install.pl answers to be consumed...
Michael Rash [Sat, 21 Apr 2012 02:17:03 +0000]
Added install.answers.example file to illustrate install.pl answers to be consumed by --Use-answers

2 years agochangelog and credits update
Michael Rash [Sat, 21 Apr 2012 02:06:29 +0000]
changelog and credits update

2 years agoAdded the ability to automatically get query answers from --answers-file
Michael Rash [Sat, 21 Apr 2012 01:58:38 +0000]
Added the ability to automatically get query answers from --answers-file

By default the install.pl script records user answers to installation queries
so they can be used to install psad in an automated fashion later.  A new
option --Use-answers makes this possible.  This feature was requests by
@pyllyukko.

2 years agomerged from master
Michael Rash [Fri, 20 Apr 2012 02:05:44 +0000]
merged from master

2 years agobumped version to psad-2.2-pre2 psad-2.2-pre2
Michael Rash [Fri, 20 Apr 2012 01:59:43 +0000]
bumped version to psad-2.2-pre2

2 years agoremoved psad-nobuildreqs.spec
Michael Rash [Fri, 20 Apr 2012 01:25:52 +0000]
removed psad-nobuildreqs.spec

2 years agomoved ChangeLog.old -> ChangeLog (the old style is much more readable)
Michael Rash [Fri, 20 Apr 2012 01:25:07 +0000]
moved ChangeLog.old -> ChangeLog (the old style is much more readable)

2 years agomatched all chdir() calls with getcwd() for easier test suite support
Michael Rash [Fri, 20 Apr 2012 01:21:52 +0000]
matched all chdir() calls with getcwd() for easier test suite support

2 years agoadded the psad-require-makemaker.spec file
Michael Rash [Fri, 20 Apr 2012 01:20:52 +0000]
added the psad-require-makemaker.spec file

2 years agoRemoved the ExtUtils::MakeMaker build requirement
Michael Rash [Fri, 20 Apr 2012 01:13:58 +0000]
Removed the ExtUtils::MakeMaker build requirement

Although building the psad RPM builds a set of perl modules which themselves
have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL
scripts, some Linux distributions don't seem to make it easy to install
ExtUtils::MakeMaker in a manner in which the local RPM install can see it.
And, at the same time, it usually is there since installing perl modules is
such a common operation.  The compromise is this solution, which will allow the
psad RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker
is installed - most likely it will build anyway.  If it doesn't, there are
bigger problems since psad is written in perl.  If you want to build the psad
RPM with a .spec file that requires ExtUtils::MakeMaker, then use the
"psad-require-makemaker.spec" file that is bundled in the psad sources.

2 years agoupdate to install the init script in the test dir in --install-test-dir mode
Michael Rash [Fri, 20 Apr 2012 01:13:15 +0000]
update to install the init script in the test dir in --install-test-dir mode

2 years agoMerge branch 'master' into openbsd_integration
Michael Rash [Thu, 19 Apr 2012 03:20:35 +0000]
Merge branch 'master' into openbsd_integration

2 years agoadded guard variable around syslog() calls
Michael Rash [Thu, 19 Apr 2012 03:19:17 +0000]
added guard variable around syslog() calls

2 years agobug fix to expand INSTALL_ROOT variable from psad.conf
Michael Rash [Thu, 19 Apr 2012 03:18:56 +0000]
bug fix to expand INSTALL_ROOT variable from psad.conf

2 years agocompleted merge from master for psad-2.2 features
Michael Rash [Wed, 18 Apr 2012 03:30:44 +0000]
completed merge from master for psad-2.2 features

2 years agobug fix to ensure that a pristine psad.conf file is preserved across --install-test... psad-2.2-pre1
Michael Rash [Wed, 18 Apr 2012 02:57:07 +0000]
bug fix to ensure that a pristine psad.conf file is preserved across --install-test-dir mode

2 years agoBug fix for undefined syslog routine
Michael Rash [Wed, 18 Apr 2012 02:23:31 +0000]
Bug fix for undefined syslog routine

Fixed a bug that caused psad to emit the following:

Undefined subroutine &main::LOG_DAEMON called at ./psad line 10071.

This problem was noticed by Robert and reported on the psad mailing list.

2 years agoRPM spec files switched to NetAddr::IP installation
Michael Rash [Wed, 18 Apr 2012 00:44:16 +0000]
RPM spec files switched to NetAddr::IP installation

2 years ago--test-system-install to allow current system installation of psad to be tested throu...
Michael Rash [Wed, 18 Apr 2012 00:42:42 +0000]
--test-system-install to allow current system installation of psad to be tested through the test suite

2 years agooverride -O option for fwcheck_psad.pl
Michael Rash [Wed, 18 Apr 2012 00:40:52 +0000]
override -O option for fwcheck_psad.pl

2 years agoupdate psad RPM spec files for the 2.2 release - more updates coming to properly...
Michael Rash [Tue, 17 Apr 2012 01:34:04 +0000]
update psad RPM spec files for the 2.2 release - more updates coming to properly handle the NetAddr::IP modules

2 years agoversion 2.2 nearly ready - bumped version numbers
Michael Rash [Tue, 17 Apr 2012 01:27:08 +0000]
version 2.2 nearly ready - bumped version numbers

2 years agoMerge branch 'master' into openbsd_integration
Michael Rash [Tue, 17 Apr 2012 01:20:56 +0000]
Merge branch 'master' into openbsd_integration

2 years agoadded signatures file that excludes the MS SQL connect signature
Michael Rash [Tue, 17 Apr 2012 01:17:50 +0000]
added signatures file that excludes the MS SQL connect signature

2 years agoupdated test config files to not require the 'mail' binary
Michael Rash [Tue, 10 Apr 2012 12:40:41 +0000]
updated test config files to not require the 'mail' binary

2 years agoallow pf firewall type to not require 'Chain' output in reports
Michael Rash [Sun, 8 Apr 2012 01:18:02 +0000]
allow pf firewall type to not require 'Chain' output in reports

2 years agoperl warnings test to all firewall architectures
Michael Rash [Sun, 8 Apr 2012 01:11:53 +0000]
perl warnings test to all firewall architectures

2 years agoAdded --interface tests
Michael Rash [Tue, 3 Apr 2012 00:51:49 +0000]
Added --interface tests

2 years agonormalized TCP flags across iptables and pf log formats
Michael Rash [Mon, 2 Apr 2012 01:33:20 +0000]
normalized TCP flags across iptables and pf log formats

2 years agoadded test suite --diff mode (from the fwknop test suite)
Michael Rash [Sun, 1 Apr 2012 13:48:31 +0000]
added test suite --diff mode (from the fwknop test suite)

2 years agofirst cut at packet parsing on OpenBSD PF firewalls
Michael Rash [Fri, 30 Mar 2012 01:56:38 +0000]
first cut at packet parsing on OpenBSD PF firewalls

2 years agoadded 'firewalls' hash key to @tests() to define supported firewalls for each test
Michael Rash [Wed, 28 Mar 2012 01:19:02 +0000]
added 'firewalls' hash key to @tests() to define supported firewalls for each test

2 years agominor variable updates
Michael Rash [Tue, 27 Mar 2012 00:55:22 +0000]
minor variable updates

2 years agoadditional --fw-type updates to handle non-iptables firewalls
Michael Rash [Tue, 27 Mar 2012 00:44:11 +0000]
additional --fw-type updates to handle non-iptables firewalls

2 years agopopulated fw_type() code for firewall type resolution
Michael Rash [Mon, 26 Mar 2012 01:43:32 +0000]
populated fw_type() code for firewall type resolution

2 years agoadded --firewall-type <type> argument, calls to log parsing routines done via functio...
Michael Rash [Mon, 26 Mar 2012 00:54:31 +0000]
added --firewall-type <type> argument, calls to log parsing routines done via function references

2 years agominor variable/comment update to not be too iptables-specific
Michael Rash [Sun, 25 Mar 2012 20:23:53 +0000]
minor variable/comment update to not be too iptables-specific

2 years agodifferentiate OS via uname - install.pl installs on OpenBSD now
Michael Rash [Sun, 25 Mar 2012 14:35:00 +0000]
differentiate OS via uname - install.pl installs on OpenBSD now

2 years agoMinor compiler warning bug fix for OpenBSD systems.
Michael Rash [Sun, 25 Mar 2012 00:34:56 +0000]
Minor compiler warning bug fix for OpenBSD systems.

Compiling psad *.c files on OpenBSD issued the following warning before this fix:

/usr/bin/gcc -Wall -O psadwatchd.c psad_funcs.c strlcpy.c strlcat.c -o psadwatchd
psad_funcs.c: In function 'send_alert_email':
psad_funcs.c:325: warning: missing sentinel in function call

2 years agoadded IPv6 exclusion test for Snort MS SQl Server communication attempt signature
Michael Rash [Sat, 24 Mar 2012 14:08:48 +0000]
added IPv6 exclusion test for Snort MS SQl Server communication attempt signature

2 years agoadded Snort sig tests for MS SQL Server communication attempt
Michael Rash [Sat, 24 Mar 2012 13:25:00 +0000]
added Snort sig tests for MS SQL Server communication attempt

2 years agoIPv4 allow valid echo request
Michael Rash [Sat, 24 Mar 2012 02:06:44 +0000]
IPv4 allow valid echo request

2 years agominor hostname update minastirith -> linux
Michael Rash [Sat, 24 Mar 2012 02:00:23 +0000]
minor hostname update minastirith -> linux

2 years agoadded IPv4 ICMP type/code validation test
Michael Rash [Sat, 24 Mar 2012 01:58:19 +0000]
added IPv4 ICMP type/code validation test

2 years agoICMP6 type/code validation test, perl warnings test
Michael Rash [Sat, 24 Mar 2012 01:09:38 +0000]
ICMP6 type/code validation test, perl warnings test

2 years agoadded ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code...
Michael Rash [Sat, 24 Mar 2012 01:08:59 +0000]
added ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code validation

2 years agobugfix for uninitialized variable in ICMP6 validation reporting
Michael Rash [Sat, 24 Mar 2012 01:07:41 +0000]
bugfix for uninitialized variable in ICMP6 validation reporting

2 years agovalidate ICMP6 type+code fields
Michael Rash [Fri, 23 Mar 2012 03:00:00 +0000]
validate ICMP6 type+code fields

2 years agocopy original psad.conf before install and restore at conclusion
Michael Rash [Fri, 23 Mar 2012 00:41:08 +0000]
copy original psad.conf before install and restore at conclusion

2 years agomove icmp validation code out of Snort rules comparision
Michael Rash [Fri, 23 Mar 2012 00:27:37 +0000]
move icmp validation code out of Snort rules comparision

For better performance and correctness, moved icmp type/code validation code out
of Snort rule comparision routine.  Added icmp validation output to --Analyze
mode output.  Disabled DNS lookups in -A mode by default, but added --dns-analysis
command line arg to provide an override.

2 years agoadded --install-root and --install-test-dir options to --help output
Michael Rash [Fri, 23 Mar 2012 00:26:53 +0000]
added --install-root and --install-test-dir options to --help output

2 years agoadded the ability to read iptables packet data from a file with -m in --Benchmark...
Michael Rash [Wed, 21 Mar 2012 01:15:38 +0000]
added the ability to read iptables packet data from a file with -m in --Benchmark mode

2 years agoadded IPv6 abbreviated format test
Michael Rash [Sun, 18 Mar 2012 17:43:48 +0000]
added IPv6 abbreviated format test

2 years agobugfix to honor audo_dl lines with IPv6 addresses
Michael Rash [Sun, 18 Mar 2012 17:32:13 +0000]
bugfix to honor audo_dl lines with IPv6 addresses

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sun, 18 Mar 2012 02:00:09 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sat, 17 Mar 2012 19:50:00 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded enable_ack_detection.conf file
Michael Rash [Sat, 17 Mar 2012 19:48:55 +0000]
added enable_ack_detection.conf file

2 years agoadded IPv6 TCP connect() test
Michael Rash [Sat, 17 Mar 2012 18:11:30 +0000]
added IPv6 TCP connect() test

2 years agoadded TCP NULL scan test
Michael Rash [Sat, 17 Mar 2012 18:00:07 +0000]
added TCP NULL scan test

2 years agoadded NULL scan test
Michael Rash [Sat, 17 Mar 2012 01:31:01 +0000]
added NULL scan test

2 years agoadded FIN, XMAS, and ACK scan tests
Michael Rash [Sat, 17 Mar 2012 01:12:01 +0000]
added FIN, XMAS, and ACK scan tests

2 years agobugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)
Michael Rash [Fri, 16 Mar 2012 00:44:20 +0000]
bugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)

2 years agoupdated to remove kmsgsd discussion since kmsgsd is basically deprecated at this...
Michael Rash [Fri, 16 Mar 2012 00:41:40 +0000]
updated to remove kmsgsd discussion since kmsgsd is basically deprecated at this point

2 years agominor config file comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:43:37 +0000]
minor config file comment typo fixes

2 years agominor comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:23:44 +0000]
minor comment typo fixes

2 years agoadded auto_dl 5 tests
Michael Rash [Wed, 14 Mar 2012 01:17:02 +0000]
added auto_dl 5 tests

2 years agoadded SYN scan and UDP scan tests
Michael Rash [Wed, 14 Mar 2012 00:43:12 +0000]
added SYN scan and UDP scan tests

2 years agoupdated default INSTALL_ROOT path to the test/ directory install path test/psad-install
Michael Rash [Wed, 14 Mar 2012 00:38:41 +0000]
updated default INSTALL_ROOT path to the test/ directory install path test/psad-install

2 years agobugfix in variable expansion routine to ensure expansion of multiple sub-vars
Michael Rash [Wed, 14 Mar 2012 00:37:44 +0000]
bugfix in variable expansion routine to ensure expansion of multiple sub-vars

2 years agoAdded the ability to install at custom location
Michael Rash [Tue, 13 Mar 2012 01:34:03 +0000]
Added the ability to install at custom location

This commit adds the ability to install psad at a custom location via the
--install-root <root> command line argument to install.pl.  This feature
was suggested by @pyllyukko.  In addition, psad can be installed by a
normal user instead requiring root.

2 years agoadditional basic operations tests, next up: scan tests
Michael Rash [Mon, 12 Mar 2012 02:41:17 +0000]
additional basic operations tests, next up: scan tests

2 years agoadded test suite scans/ directory
Michael Rash [Mon, 12 Mar 2012 02:38:55 +0000]
added test suite scans/ directory

2 years agoadded test suite via the test/ directory
Michael Rash [Sun, 11 Mar 2012 02:40:04 +0000]
added test suite via the test/ directory

2 years agobug fix to ensure the psadfifo file is not created unless is true
Michael Rash [Sun, 11 Mar 2012 01:44:46 +0000]
bug fix to ensure the psadfifo file is not created unless  is true

2 years agoadded PERL5LIB env variable so module installs can reference the current install...
Michael Rash [Sat, 10 Mar 2012 02:36:43 +0000]
added PERL5LIB env variable so module installs can reference the current install path, minor 'die' statement update to remove newlines

2 years agoadded support for ip6tables policy default log and drop rule detection
Michael Rash [Fri, 9 Mar 2012 02:44:12 +0000]
added support for ip6tables policy default log and drop rule detection

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:40:43 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:39:09 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Tue, 21 Feb 2012 01:57:02 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

2 years agominor comment updates (header material)
Michael Rash [Tue, 21 Feb 2012 01:54:23 +0000]
minor comment updates (header material)

2 years agoupdated Unix::Syslog to 1.1 from CPAN
Michael Rash [Fri, 10 Feb 2012 16:37:43 +0000]
updated Unix::Syslog to 1.1 from CPAN

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Sat, 14 Jan 2012 19:11:05 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

2 years agoadded ip6tables policy dump to --fw-dump mode
Michael Rash [Fri, 23 Dec 2011 21:33:05 +0000]
added ip6tables policy dump to --fw-dump mode

3 years agobumped version to 3.0-pre1 psad-3.0-pre1
Michael Rash [Wed, 14 Dec 2011 02:51:22 +0000]
bumped version to 3.0-pre1

3 years agobug fix to parse iptables syslog date into a proper numeric time
Michael Rash [Wed, 14 Dec 2011 02:49:50 +0000]
bug fix to parse iptables syslog date into a proper numeric time

3 years agominor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets
Michael Rash [Wed, 14 Dec 2011 01:28:46 +0000]
minor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets

3 years agointerim commit to maintain better separation between IPv4 and IPv6 passive OS fingerp...
Michael Rash [Tue, 13 Dec 2011 02:00:39 +0000]
interim commit to maintain better separation between IPv4 and IPv6 passive OS fingerprinting code

3 years agoAdded MAX_SCAN_IP_PAIRS
Michael Rash [Sat, 10 Dec 2011 19:49:21 +0000]
Added MAX_SCAN_IP_PAIRS

Thic commit allows psad memory usage to be constrained by restricting the
number of unique IP pairs that psad tracks via a new config variable
MAX_SCAN_IP_PAIRS.  This is useful for when psad is deployed on systems with
little memory, and is best utilized in conjunction with disabling
ENABLE_PERSISTENCE so that old scans will also be deleted (and thereby making
room for tracking new scans under the MAX_SCAN_IP_PAIRS threshold).

3 years agoreworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variabl...
Michael Rash [Sat, 10 Dec 2011 17:53:23 +0000]
reworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variable to control this

3 years agoupdate to not collect err packets in --no-ipt-errors mode
Michael Rash [Sat, 10 Dec 2011 15:37:25 +0000]
update to not collect err packets in --no-ipt-errors mode

3 years agoCompleted conversion to NetAddr::IP module
Michael Rash [Fri, 9 Dec 2011 20:40:26 +0000]
Completed conversion to NetAddr::IP module

This commit completes the conversion to the NetAddr::IP module for all IP
address comparisions.  Also re-worked Snort keyword matching to maximize
performance.

3 years agoadded the deps/NetAddr-IP directory
Michael Rash [Tue, 6 Dec 2011 01:52:15 +0000]
added the deps/NetAddr-IP directory

3 years agomade --packets apply to --Analyze mode, man page doc fixes relative to the old psadfi...
Michael Rash [Tue, 6 Dec 2011 01:46:33 +0000]
made --packets apply to --Analyze mode, man page doc fixes relative to the old psadfifo file