psad.git
2 years agobumped version to psad-2.2-pre2 psad-2.2-pre2
Michael Rash [Fri, 20 Apr 2012 01:59:43 +0000]
bumped version to psad-2.2-pre2

2 years agoremoved psad-nobuildreqs.spec
Michael Rash [Fri, 20 Apr 2012 01:25:52 +0000]
removed psad-nobuildreqs.spec

2 years agomoved ChangeLog.old -> ChangeLog (the old style is much more readable)
Michael Rash [Fri, 20 Apr 2012 01:25:07 +0000]
moved ChangeLog.old -> ChangeLog (the old style is much more readable)

2 years agomatched all chdir() calls with getcwd() for easier test suite support
Michael Rash [Fri, 20 Apr 2012 01:21:52 +0000]
matched all chdir() calls with getcwd() for easier test suite support

2 years agoadded the psad-require-makemaker.spec file
Michael Rash [Fri, 20 Apr 2012 01:20:52 +0000]
added the psad-require-makemaker.spec file

2 years agoRemoved the ExtUtils::MakeMaker build requirement
Michael Rash [Fri, 20 Apr 2012 01:13:58 +0000]
Removed the ExtUtils::MakeMaker build requirement

Although building the psad RPM builds a set of perl modules which themselves
have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL
scripts, some Linux distributions don't seem to make it easy to install
ExtUtils::MakeMaker in a manner in which the local RPM install can see it.
And, at the same time, it usually is there since installing perl modules is
such a common operation.  The compromise is this solution, which will allow the
psad RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker
is installed - most likely it will build anyway.  If it doesn't, there are
bigger problems since psad is written in perl.  If you want to build the psad
RPM with a .spec file that requires ExtUtils::MakeMaker, then use the
"psad-require-makemaker.spec" file that is bundled in the psad sources.

2 years agoupdate to install the init script in the test dir in --install-test-dir mode
Michael Rash [Fri, 20 Apr 2012 01:13:15 +0000]
update to install the init script in the test dir in --install-test-dir mode

2 years agoadded guard variable around syslog() calls
Michael Rash [Thu, 19 Apr 2012 03:19:17 +0000]
added guard variable around syslog() calls

2 years agobug fix to expand INSTALL_ROOT variable from psad.conf
Michael Rash [Thu, 19 Apr 2012 03:18:56 +0000]
bug fix to expand INSTALL_ROOT variable from psad.conf

2 years agobug fix to ensure that a pristine psad.conf file is preserved across --install-test... psad-2.2-pre1
Michael Rash [Wed, 18 Apr 2012 02:57:07 +0000]
bug fix to ensure that a pristine psad.conf file is preserved across --install-test-dir mode

2 years agoBug fix for undefined syslog routine
Michael Rash [Wed, 18 Apr 2012 02:23:31 +0000]
Bug fix for undefined syslog routine

Fixed a bug that caused psad to emit the following:

Undefined subroutine &main::LOG_DAEMON called at ./psad line 10071.

This problem was noticed by Robert and reported on the psad mailing list.

2 years agoRPM spec files switched to NetAddr::IP installation
Michael Rash [Wed, 18 Apr 2012 00:44:16 +0000]
RPM spec files switched to NetAddr::IP installation

2 years ago--test-system-install to allow current system installation of psad to be tested throu...
Michael Rash [Wed, 18 Apr 2012 00:42:42 +0000]
--test-system-install to allow current system installation of psad to be tested through the test suite

2 years agooverride -O option for fwcheck_psad.pl
Michael Rash [Wed, 18 Apr 2012 00:40:52 +0000]
override -O option for fwcheck_psad.pl

2 years agoupdate psad RPM spec files for the 2.2 release - more updates coming to properly...
Michael Rash [Tue, 17 Apr 2012 01:34:04 +0000]
update psad RPM spec files for the 2.2 release - more updates coming to properly handle the NetAddr::IP modules

2 years agoversion 2.2 nearly ready - bumped version numbers
Michael Rash [Tue, 17 Apr 2012 01:27:08 +0000]
version 2.2 nearly ready - bumped version numbers

2 years agoadded signatures file that excludes the MS SQL connect signature
Michael Rash [Tue, 17 Apr 2012 01:17:50 +0000]
added signatures file that excludes the MS SQL connect signature

2 years agoupdated test config files to not require the 'mail' binary
Michael Rash [Tue, 10 Apr 2012 12:40:41 +0000]
updated test config files to not require the 'mail' binary

2 years agoMinor compiler warning bug fix for OpenBSD systems.
Michael Rash [Sun, 25 Mar 2012 00:34:56 +0000]
Minor compiler warning bug fix for OpenBSD systems.

Compiling psad *.c files on OpenBSD issued the following warning before this fix:

/usr/bin/gcc -Wall -O psadwatchd.c psad_funcs.c strlcpy.c strlcat.c -o psadwatchd
psad_funcs.c: In function 'send_alert_email':
psad_funcs.c:325: warning: missing sentinel in function call

2 years agoadded IPv6 exclusion test for Snort MS SQl Server communication attempt signature
Michael Rash [Sat, 24 Mar 2012 14:08:48 +0000]
added IPv6 exclusion test for Snort MS SQl Server communication attempt signature

2 years agoadded Snort sig tests for MS SQL Server communication attempt
Michael Rash [Sat, 24 Mar 2012 13:25:00 +0000]
added Snort sig tests for MS SQL Server communication attempt

2 years agoIPv4 allow valid echo request
Michael Rash [Sat, 24 Mar 2012 02:06:44 +0000]
IPv4 allow valid echo request

2 years agominor hostname update minastirith -> linux
Michael Rash [Sat, 24 Mar 2012 02:00:23 +0000]
minor hostname update minastirith -> linux

2 years agoadded IPv4 ICMP type/code validation test
Michael Rash [Sat, 24 Mar 2012 01:58:19 +0000]
added IPv4 ICMP type/code validation test

2 years agoICMP6 type/code validation test, perl warnings test
Michael Rash [Sat, 24 Mar 2012 01:09:38 +0000]
ICMP6 type/code validation test, perl warnings test

2 years agoadded ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code...
Michael Rash [Sat, 24 Mar 2012 01:08:59 +0000]
added ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code validation

2 years agobugfix for uninitialized variable in ICMP6 validation reporting
Michael Rash [Sat, 24 Mar 2012 01:07:41 +0000]
bugfix for uninitialized variable in ICMP6 validation reporting

2 years agovalidate ICMP6 type+code fields
Michael Rash [Fri, 23 Mar 2012 03:00:00 +0000]
validate ICMP6 type+code fields

2 years agocopy original psad.conf before install and restore at conclusion
Michael Rash [Fri, 23 Mar 2012 00:41:08 +0000]
copy original psad.conf before install and restore at conclusion

2 years agomove icmp validation code out of Snort rules comparision
Michael Rash [Fri, 23 Mar 2012 00:27:37 +0000]
move icmp validation code out of Snort rules comparision

For better performance and correctness, moved icmp type/code validation code out
of Snort rule comparision routine.  Added icmp validation output to --Analyze
mode output.  Disabled DNS lookups in -A mode by default, but added --dns-analysis
command line arg to provide an override.

2 years agoadded --install-root and --install-test-dir options to --help output
Michael Rash [Fri, 23 Mar 2012 00:26:53 +0000]
added --install-root and --install-test-dir options to --help output

2 years agoadded the ability to read iptables packet data from a file with -m in --Benchmark...
Michael Rash [Wed, 21 Mar 2012 01:15:38 +0000]
added the ability to read iptables packet data from a file with -m in --Benchmark mode

2 years agoadded IPv6 abbreviated format test
Michael Rash [Sun, 18 Mar 2012 17:43:48 +0000]
added IPv6 abbreviated format test

2 years agobugfix to honor audo_dl lines with IPv6 addresses
Michael Rash [Sun, 18 Mar 2012 17:32:13 +0000]
bugfix to honor audo_dl lines with IPv6 addresses

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sun, 18 Mar 2012 02:00:09 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sat, 17 Mar 2012 19:50:00 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded enable_ack_detection.conf file
Michael Rash [Sat, 17 Mar 2012 19:48:55 +0000]
added enable_ack_detection.conf file

2 years agoadded IPv6 TCP connect() test
Michael Rash [Sat, 17 Mar 2012 18:11:30 +0000]
added IPv6 TCP connect() test

2 years agoadded TCP NULL scan test
Michael Rash [Sat, 17 Mar 2012 18:00:07 +0000]
added TCP NULL scan test

2 years agoadded NULL scan test
Michael Rash [Sat, 17 Mar 2012 01:31:01 +0000]
added NULL scan test

2 years agoadded FIN, XMAS, and ACK scan tests
Michael Rash [Sat, 17 Mar 2012 01:12:01 +0000]
added FIN, XMAS, and ACK scan tests

2 years agobugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)
Michael Rash [Fri, 16 Mar 2012 00:44:20 +0000]
bugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)

2 years agoupdated to remove kmsgsd discussion since kmsgsd is basically deprecated at this...
Michael Rash [Fri, 16 Mar 2012 00:41:40 +0000]
updated to remove kmsgsd discussion since kmsgsd is basically deprecated at this point

2 years agominor config file comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:43:37 +0000]
minor config file comment typo fixes

2 years agominor comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:23:44 +0000]
minor comment typo fixes

2 years agoadded auto_dl 5 tests
Michael Rash [Wed, 14 Mar 2012 01:17:02 +0000]
added auto_dl 5 tests

2 years agoadded SYN scan and UDP scan tests
Michael Rash [Wed, 14 Mar 2012 00:43:12 +0000]
added SYN scan and UDP scan tests

2 years agoupdated default INSTALL_ROOT path to the test/ directory install path test/psad-install
Michael Rash [Wed, 14 Mar 2012 00:38:41 +0000]
updated default INSTALL_ROOT path to the test/ directory install path test/psad-install

2 years agobugfix in variable expansion routine to ensure expansion of multiple sub-vars
Michael Rash [Wed, 14 Mar 2012 00:37:44 +0000]
bugfix in variable expansion routine to ensure expansion of multiple sub-vars

2 years agoAdded the ability to install at custom location
Michael Rash [Tue, 13 Mar 2012 01:34:03 +0000]
Added the ability to install at custom location

This commit adds the ability to install psad at a custom location via the
--install-root <root> command line argument to install.pl.  This feature
was suggested by @pyllyukko.  In addition, psad can be installed by a
normal user instead requiring root.

2 years agoadditional basic operations tests, next up: scan tests
Michael Rash [Mon, 12 Mar 2012 02:41:17 +0000]
additional basic operations tests, next up: scan tests

2 years agoadded test suite scans/ directory
Michael Rash [Mon, 12 Mar 2012 02:38:55 +0000]
added test suite scans/ directory

2 years agoadded test suite via the test/ directory
Michael Rash [Sun, 11 Mar 2012 02:40:04 +0000]
added test suite via the test/ directory

2 years agobug fix to ensure the psadfifo file is not created unless is true
Michael Rash [Sun, 11 Mar 2012 01:44:46 +0000]
bug fix to ensure the psadfifo file is not created unless  is true

2 years agoadded PERL5LIB env variable so module installs can reference the current install...
Michael Rash [Sat, 10 Mar 2012 02:36:43 +0000]
added PERL5LIB env variable so module installs can reference the current install path, minor 'die' statement update to remove newlines

2 years agoadded support for ip6tables policy default log and drop rule detection
Michael Rash [Fri, 9 Mar 2012 02:44:12 +0000]
added support for ip6tables policy default log and drop rule detection

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:40:43 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:39:09 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Tue, 21 Feb 2012 01:57:02 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

2 years agominor comment updates (header material)
Michael Rash [Tue, 21 Feb 2012 01:54:23 +0000]
minor comment updates (header material)

2 years agoupdated Unix::Syslog to 1.1 from CPAN
Michael Rash [Fri, 10 Feb 2012 16:37:43 +0000]
updated Unix::Syslog to 1.1 from CPAN

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Sat, 14 Jan 2012 19:11:05 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

3 years agoadded ip6tables policy dump to --fw-dump mode
Michael Rash [Fri, 23 Dec 2011 21:33:05 +0000]
added ip6tables policy dump to --fw-dump mode

3 years agobumped version to 3.0-pre1 psad-3.0-pre1
Michael Rash [Wed, 14 Dec 2011 02:51:22 +0000]
bumped version to 3.0-pre1

3 years agobug fix to parse iptables syslog date into a proper numeric time
Michael Rash [Wed, 14 Dec 2011 02:49:50 +0000]
bug fix to parse iptables syslog date into a proper numeric time

3 years agominor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets
Michael Rash [Wed, 14 Dec 2011 01:28:46 +0000]
minor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets

3 years agointerim commit to maintain better separation between IPv4 and IPv6 passive OS fingerp...
Michael Rash [Tue, 13 Dec 2011 02:00:39 +0000]
interim commit to maintain better separation between IPv4 and IPv6 passive OS fingerprinting code

3 years agoAdded MAX_SCAN_IP_PAIRS
Michael Rash [Sat, 10 Dec 2011 19:49:21 +0000]
Added MAX_SCAN_IP_PAIRS

Thic commit allows psad memory usage to be constrained by restricting the
number of unique IP pairs that psad tracks via a new config variable
MAX_SCAN_IP_PAIRS.  This is useful for when psad is deployed on systems with
little memory, and is best utilized in conjunction with disabling
ENABLE_PERSISTENCE so that old scans will also be deleted (and thereby making
room for tracking new scans under the MAX_SCAN_IP_PAIRS threshold).

3 years agoreworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variabl...
Michael Rash [Sat, 10 Dec 2011 17:53:23 +0000]
reworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variable to control this

3 years agoupdate to not collect err packets in --no-ipt-errors mode
Michael Rash [Sat, 10 Dec 2011 15:37:25 +0000]
update to not collect err packets in --no-ipt-errors mode

3 years agoCompleted conversion to NetAddr::IP module
Michael Rash [Fri, 9 Dec 2011 20:40:26 +0000]
Completed conversion to NetAddr::IP module

This commit completes the conversion to the NetAddr::IP module for all IP
address comparisions.  Also re-worked Snort keyword matching to maximize
performance.

3 years agoadded the deps/NetAddr-IP directory
Michael Rash [Tue, 6 Dec 2011 01:52:15 +0000]
added the deps/NetAddr-IP directory

3 years agomade --packets apply to --Analyze mode, man page doc fixes relative to the old psadfi...
Michael Rash [Tue, 6 Dec 2011 01:46:33 +0000]
made --packets apply to --Analyze mode, man page doc fixes relative to the old psadfifo file

3 years agoRemoved Net::IPv4Addr module for NetAddr:IP replacement
Michael Rash [Mon, 1 Aug 2011 01:23:28 +0000]
Removed Net::IPv4Addr module for NetAddr:IP replacement

The Net::IPv4Addr module does not handle IPv6 addresses, and so it will be
replaced with the NetAddr:IP module.

3 years agoAdded code to separate ipv4 vs. ipv6 p0f attempts
Michael Rash [Sat, 30 Jul 2011 02:15:12 +0000]
Added code to separate ipv4 vs. ipv6 p0f attempts

There are not yet any IPv6 fingerprints for p0f, so psad needs to ensure that
its p0f implementation over iptables log messages is restricted to IPv4
packets.  This change will make it easier to integrate an IPv6 implementation
of p0f as well.

3 years agoRenamed ChangeLog -> ChangeLog.old
Michael Rash [Wed, 27 Jul 2011 02:42:33 +0000]
Renamed ChangeLog -> ChangeLog.old

Renamed the original ChangeLog -> ChangeLog.old and replace it with output from
'git log'.

3 years agoUpdated to the latest p0f signatures from OpenBSD
Michael Rash [Wed, 27 Jul 2011 00:54:24 +0000]
Updated to the latest p0f signatures from OpenBSD

Updated to the latest p0f signatures in the pf.os file from the OpenBSD
project.

3 years agoBug fix for scan sources reported as destinations
Michael Rash [Wed, 27 Jul 2011 00:41:35 +0000]
Bug fix for scan sources reported as destinations

In the /var/log/psad/<ip>/ directories, whois information is stored in the
<IP>_whois files, the IP in the filename was included as a destination IP under
the psad -S output.  This commit fixes this bug.  Here is an example of the
invalid output:

[+] IP Status Detail:

SRC:  123.123.123.221, DL: 2, Dsts: 2, Pkts: 1, Unique sigs: 1, Email alerts: 1

    DST: 1.2.3.4, Local IP
        Scanned ports: TCP 1433, Pkts: 1, Chain: INPUT, Intf: eth0
        Signature match: "MISC Microsoft SQL Server communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205
    DST: 123.123.123.221

3 years agoAdded 'udplite' as a supported protocol
Michael Rash [Wed, 27 Jul 2011 00:38:52 +0000]
Added 'udplite' as a supported protocol

iptables can produce log message for the udplite protocol (IP protocol 136),
and this commit starts to work in udplite support after such messages have
been parsed.

3 years agoAdded the ENABLE_IPV6_DETECTION variable
Michael Rash [Tue, 26 Jul 2011 02:13:09 +0000]
Added the ENABLE_IPV6_DETECTION variable

The ENABLE_IPV6_DETECTION variable controls whether psad will parse or ignore
IPv6 iptables log messages.  This is enabled by default.

3 years agoMake ENABLE_* vars accept case-insensitive values
Michael Rash [Tue, 26 Jul 2011 02:09:11 +0000]
Make ENABLE_* vars accept case-insensitive values

Allow ENABLE_* psad.conf variables to have values like 'y', 'n', 'Yes', 'No',
etc.

3 years agoBug fix for ICMP time exceeded packets for TCP
Michael Rash [Tue, 26 Jul 2011 01:42:57 +0000]
Bug fix for ICMP time exceeded packets for TCP

TCP connections can be met with ICMP time exceeded messages, and this fix
ensures that they are recognized.  Here is an example of such a message:

Jan 24 23:21:46 minastirith kernel: [711473.921049] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:24:ea:81:08:00 SRC=123.123.123.1 DST=255.255.255.255 LEN=355 TOS=0x00 Jan 25 11:31:32 minastirith kernel: [755260.336492] DROP INVALID IN=eth0 OUT= MAC=00:13:46:3a:41:36:00:01:5c:24:ea:81:08:00 SRC=202.97.39.53 DST=1.1.1.1 LEN=56 TOS=0x00 PREC=0x20 TTL=240 ID=11594 PROTO=ICMP TYPE=11 CODE=0 [SRC=1.1.1.1 DST=2.2.2.2 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=18273 MF PROTO=TCP INCOMPLETE [8 bytes] ]

3 years agoAdded call to get_connected_subnets() in -A mode.
Michael Rash [Tue, 26 Jul 2011 01:17:24 +0000]
Added call to get_connected_subnets() in -A mode.

Make sure to get local networks in --Analyze mode for is_local() checks.

3 years agoBugfix introduced by edc028d46d83cd3f6952e0dde99ebd731366a2f6
Michael Rash [Tue, 26 Jul 2011 01:07:20 +0000]
Bugfix introduced by edc028d46d83cd3f6952e0dde99ebd731366a2f6

Bugfix to make sure that protocol counters are written to the counters file
via the proper filehandle.

3 years agoMinor wording update for syslog messages parsing
Michael Rash [Tue, 26 Jul 2011 01:00:29 +0000]
Minor wording update for syslog messages parsing

Minor documentation update to better describe the default parsing behavior of
psad (non-usage of the psadfifo and kmsgsd by default).

3 years agoMinor update Netfilter -> iptables wording
Michael Rash [Tue, 26 Jul 2011 00:27:55 +0000]
Minor update Netfilter -> iptables wording

It is more proper to refer to iptables in the context of psad operations, so
changed all "Netfilter" references to "iptables".

3 years agoMinor change to rework global protocol counters
Michael Rash [Mon, 25 Jul 2011 02:06:54 +0000]
Minor change to rework global protocol counters

Minor restructuring to be able to more easily support protocols that are
logged via iptables via a 'defined' check on a global protocol tracking
hash.

3 years agoMinor filehandle warning bug fix.
Michael Rash [Sun, 24 Jul 2011 19:54:28 +0000]
Minor filehandle warning bug fix.

perl likes to generate warnings like the one seen below if the STDOUT or STDERR
filehandles are closed when going into daemon mode and other filehandles are
used.  This change removes closing these filehandles when psad is run as a
daemon:

Sun Jul 24 14:27:44 2011 psad v2.1.8-pre2 pid: 11675 Filehandle STDOUT reopened as F only for input at /usr/sbin/psad line 9924.

3 years agoMinor update in filehandle usage for mail messages
Michael Rash [Sat, 23 Jul 2011 14:39:17 +0000]
Minor update in filehandle usage for mail messages

Minor change to try and avoid the following warning messages logged to
/var/log/psad/errs/psad.warn:

Sun Nov 28 12:09:44 2010 psad v2.1.8-pre1 (file rev: 2309) pid: 1600 Filehandle STDERR reopened as F only for input at /usr/sbin/psad line 9756.

It is likely that other changes will be necessary in order to completely stop
these messages.

3 years agoImplemented parsing support for IPv6 via ip6tables
Michael Rash [Sat, 23 Jul 2011 14:18:56 +0000]
Implemented parsing support for IPv6 via ip6tables

This is the first major commit for IPv6 support, and starts with the ability to
parse IPv6 log messages for the following protocols: TCP, UDP, UDPLITE, and
ICMP6.  Scans and signature matches are not yet detected, but that is coming
soon.  Here are a few example ip6tables logging messages that psad now
supports:

Jul 21 19:07:39 minastirith kernel: [1912155.755862] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=59 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=35186 DPT=12345 LEN=19
Jul 21 19:07:39 minastirith kernel: [1912155.755921] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=107 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=4 [SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=59 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=35186 DPT=12345 LEN=19 ]
Jul 21 19:07:40 minastirith kernel: [1912156.845421] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=21264 SEQ=1
Jul 21 19:07:40 minastirith kernel: [1912156.845478] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=21264 SEQ=1
Jul 21 19:08:15 minastirith kernel: [1912191.806437] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=32752 RES=0x00 SYN URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.806509] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=32728 RES=0x00 ACK SYN URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.806570] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.835221] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=111 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=256 RES=0x00 ACK PSH URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.835292] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.391506] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK FIN URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.392596] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=256 RES=0x00 ACK FIN URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.392678] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0

3 years agoMoved running as root check into is_root()
Michael Rash [Wed, 13 Jul 2011 02:07:29 +0000]
Moved running as root check into is_root()

Minor update to put the running as root check into a new is_root() function.

3 years agoMinor copyright update
Michael Rash [Wed, 13 Jul 2011 02:05:12 +0000]
Minor copyright update

Updated the copyright date to 2011.

3 years agoMinor variable initialization update
Michael Rash [Wed, 13 Jul 2011 02:02:30 +0000]
Minor variable initialization update

Minor change to make sure to initialize a few global variables.

3 years agoRemoved "$Id$" tags (meaningless for git)
Michael Rash [Fri, 17 Jun 2011 11:59:29 +0000]
Removed "$Id$" tags (meaningless for git)

All "$Id$" expansion tags were removed since they were a hold-over from the
svn days.  This also meant that the "file revision: <N>" output for "psad -V"
was removed too.

3 years agominor comment bug fix
Michael Rash [Wed, 29 Dec 2010 01:28:27 +0000]
minor comment bug fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2315 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.8-pre2
Michael Rash [Thu, 25 Nov 2010 18:01:57 +0000]
bumped version to 2.1.8-pre2

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2313 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Altered the 'ET MALWARE Bundleware Spyware CHM Download' Snort rule in
Michael Rash [Thu, 25 Nov 2010 18:01:43 +0000]
- Altered the 'ET MALWARE Bundleware Spyware CHM Download' Snort rule in
the bundled Emerging Threats rule set to make sure that ClamAV does not
flag on the pattern "mhtml\:file\://" which is associated with the
following ClamAV signature:

$ grep Exploit.HTML.MHTRedir-8 main.ndb
Exploit.HTML.MHTRedir-8:3:*:6d68746d6c3a66696c653a2f2f{1-20}2168

An analysis of this issue was posted here:

http://www.cipherdyne.org/blog/2010/08/22.html

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2312 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Bug fix for ICMP packet handling where psad would incorrectly interpret
Michael Rash [Thu, 25 Nov 2010 16:02:29 +0000]
- Bug fix for ICMP packet handling where psad would incorrectly interpret
  ICMP port unreachable messages as UDP packets because the UDP specifics
  are included in the iptables log message.  This bug was first reported by
  Lukas Baxa to the Debian maintainers and was followed up by Franck
  Joncourt:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=596240

  An example ICMP log message that exposed the bug is included below:

  Sep  8 18:04:26 baxic kernel: [28241.572876] IN_DROP IN=wlan0
  OUT= MAC=00:1a:9f:91:df:ae:00:21:27:e8:0a:a0:08:00
  SRC=10.0.0.138 DST=192.168.1.103 LEN=96 TOS=0x00 PREC=0xC0 TTL=254
  ID=63642 PROTO=ICMP TYPE=3 CODE=3
  [SRC=192.168.1.103 DST=10.0.0.138 LEN=68 TOS=0x00 PREC=0x00 TTL=0
  ID=22458 PROTO=UDP SPT=35080 DPT=33434 LEN=48 ]

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2311 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.8-pre1
Michael Rash [Sat, 7 Aug 2010 12:50:18 +0000]
bumped version to 2.1.8-pre1

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2309 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor date update
Michael Rash [Sat, 7 Aug 2010 12:49:55 +0000]
minor date update

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2308 91a0a83b-1414-0410-bf9a-c3dbc33e90b6