Navigation

← Previous Changeset
Next Changeset →

Changeset 1662

Timestamp:

11/14/06 01:41:05 (2 years ago)

Author:

mbr

Message:

replaced curr_sig hash structure with sid hash structure, reporting for IP protocol is nearly finished

Files:

psad/branches/sigdevel/psad (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

psad/branches/sigdevel/psad

r1661	r1662
73	73	# for the current interval.
74	74	# flags - Keeps track of tcp flags.
75		# ~~curr_sig - Current signature.~~
	75	# sid - Signature tracking
76	76	# abs_sp - Absolute starting port.
77	77	# abs_ep - Absolute ending port.
…	…
1243	1243	}
1244	1244
1245		if ($pkt{'fwsnort_sid'} and not $no_snort_sids) {
1246		### found a snort sid in the packet log message
1247		my $dl = &add_snort_sid($pkt{'src'}, $pkt{'dst'},
1248		$pkt{'chain'}, $pkt{'proto'}, $pkt{'fwsnort_sid'});
1249		$curr_sids_dl{$pkt{'src'}} = $dl if $dl;
1250		} else {
1251		### attempt to match any tcp/udp/icmp signatures in the
1252		### main signatures hash
1253		unless ($no_signatures) {
1254
1255		my $dl = &match_sigs(\%pkt);
1256
1257		$curr_sigs_dl{$pkt{'src'}} = $dl if $dl;
	1245	unless ($no_snort_sids) {
	1246	if ($pkt{'fwsnort_sid'}) {
	1247	### found a snort sid in the packet log message
	1248	my $dl = &add_snort_sid(\%pkt);
	1249	$curr_sids_dl{$pkt{'src'}} = $dl if $dl;
	1250	} else {
	1251	### attempt to match any tcp/udp/icmp signatures in the
	1252	### main signatures hash
	1253	unless ($no_signatures) {
	1254
	1255	my $dl = &match_sigs(\%pkt);
	1256
	1257	$curr_sigs_dl{$pkt{'src'}} = $dl if $dl;
	1258	}
1258	1259	}
1259	1260	}
…	…
1693	1694
1694	1695	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'tcp'}
1695		{'~~curr_sig~~'}{$sid}{$pkt_hr->{'chain'}}{'dp'}
1696		~~{$pkt_hr->{'dp'}}++~~;
	1696	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'dp'}
	1697	= $pkt_hr->{'dp'};
1697	1698
1698	1699	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'tcp'}
1699		{'curr_sig'}{$sid}{$pkt_hr->{'chain'}}{'flags'}
1700		{$pkt_hr->{'dp'}} = $pkt_hr->{'flags'};
	1700	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'flags'}
	1701	= $pkt_hr->{'flags'};
	1702
	1703	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'tcp'}
	1704	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++;
1701	1705
1702	1706	}
…	…
1708	1712
1709	1713	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'udp'}
1710		{'curr_sig'}{$sid}{$pkt_hr->{'chain'}}{'dp'}
1711		{$pkt_hr->{'dp'}}++;
	1714	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'dp'}
	1715	= $pkt_hr->{'dp'};
	1716	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'udp'}
	1717	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++;
1712	1718	}
1713	1719	} elsif ($sig_hr->{'proto'} eq 'icmp') {
…	…
1740	1746	$dl = $dl_tmp if $dl_tmp > $dl;
1741	1747
1742		$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'icmp'}{'~~curr_sig~~'}
	1748	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'icmp'}{'sid'}
1743	1749	{$sid}{$pkt_hr->{'chain'}}{'pkts'}++;
1744	1750	}
…	…
1846	1852	}
1847	1853
1848		$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'ip'}{'~~curr_sig~~'}
	1854	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'ip'}{'sid'}
1849	1855	{$sig_hr->{'sid'}}{$pkt_hr->{'chain'}}{'pkts'}++;
1850	1856
…	…
2166	2172
2167	2173	sub add_snort_sid() {
2168		my ($src, $dst, $chain, $proto, $sid) = @_;
	2174	my $pkt_hr = shift;
	2175
	2176	my $sid = $pkt_hr->{'fwsnort_sid'};
	2177
2169	2178	if (defined $snort_msgs{$sid}) {
2170		$scan{$src}{$dst}{$proto}{'sid'}{$sid}{$chain}++;
	2179
	2180	$scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{$pkt_hr->{'proto'}}
	2181	{'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++;
2171	2182
2172	2183	my $classtype = $snort_msgs{$sid}{'classtype'};
…	…
4266	4277	my $href = $scan{$src}{$dst}{$proto};
4267	4278
4268		next unless (defined $href->{'curr_sig'}
4269		or defined $href->{'sid'}
	4279	next unless (defined $href->{'sid'}
4270	4280	or defined $href->{'invalid_type'}
4271	4281	or defined $href->{'invalid_code'});
…	…
4280	4290	my $sm_hr = $snort_msgs{$sid};
4281	4291
4282		my $pkts = $href->{'sid'}->{$sid}->{$chain};
4283		print $fh qq( "$sm_hr->{'msg'}"\n);
	4292	my $dp = -1;
	4293	my $flags = '';
	4294	if ($proto eq 'tcp' or $proto eq 'udp') {
	4295	$dp = $href->{'sid'}->{$sid}->{$chain}->{'dp'};
	4296	$flags = $href->{'sid'}->{$sid}->{$chain}->{'flags'};
	4297	}
	4298	my $pkts = $href->{'sid'}->{$sid}->{$chain}->{'pkts'};
	4299
	4300	print $fh qq\| "$sm_hr->{'msg'}"\n\|;
	4301	if ($proto eq 'tcp' or $proto eq 'udp') {
	4302	if ($chain eq 'INPUT') {
	4303	if (defined $local_ports{$proto}
	4304	and defined $local_ports{$dp}) {
	4305	print $fh " dst port: $dp (server bound to port!)\n",
	4306	" flags: $flags\n";
	4307	} else {
	4308	print $fh " dst port: $dp (no server bound to port)\n",
	4309	" flags: $flags\n";
	4310	}
	4311	} else {
	4312	print $fh " dst port: $dp\n",
	4313	" flags: $flags\n";
	4314	}
	4315	}
4284	4316	for my $content (@{$sm_hr->{'content'}}) {
4285	4317	print $fh qq( content: "$content"\n);
…	…
4312	4344	{$type}->{$chain}->{'pkts'};
4313	4345	print $fh
4314		qq~~( Invalid ICMP type "$type" chain=$chain packets=$pkts\n)~~;
	4346	qq\| Invalid ICMP type "$type" chain=$chain packets=$pkts\n\|;
4315	4347	}
4316	4348	}
…	…
4322	4354	my $pkts = $href->{'invalid_code'}->
4323	4355	{$type}->{$code}->{$chain}->{'pkts'};
4324		print $fh ~~" Invalid ICMP code \"$code\" for ICMP "~~,
4325		~~"\"$valid_icmp_types{$type}{'text'}\" packet\n"~~,
	4356	print $fh qq\| Invalid ICMP code "$code" for ICMP \|,
	4357	qq\|"$valid_icmp_types{$type}{'text'}" packet\n\|,
4326	4358	" chain=$chain packets=$pkts\n";
4327	4359	}
…	…
4329	4361	}
4330	4362	}
4331		for my $sid (keys %{$href->{'curr_sig'}}) {
4332		my $msg = $sigs{$sid}{'msg'};
4333
4334		for my $chain (keys %{$href->{'curr_sig'}->{$sid}}) {
4335		if ($proto eq 'tcp' or $proto eq 'udp') {
4336		for my $dp (keys %{$href->{'curr_sig'}
4337		{$sid}->{$chain}->{'dp'}}) {
4338		my $flags = '';
4339		my $pkts = $href->{'curr_sig'}
4340		{$sid}->{$chain}->{'dp'}->{$dp};
4341		if (defined $href->{'curr_sig'}->{$sid}->{$chain}->{'flags'}
4342		and defined $href->{'curr_sig'}->
4343		{$sid}->{$chain}->{'flags'}->{$dp}) {
4344		$flags = $href->{'curr_sig'}->
4345		{$sid}->{$chain}->{'flags'}->{$dp};
4346		}
4347
4348		if ($dst_ip_is_local) {
4349		### check local ports here since we know the
4350		### destination is a local ip address
4351		if (defined $local_ports{$proto}{$dp}) {
4352		if ($flags) {
4353		print $fh " \"$msg\"\n",
4354		" sid=$sid chain=$chain packets=$pkts dp=$dp flags=[$flags] ",
4355		"[*] Your machine is listening on $proto port: $dp!\n";
4356		} else {
4357		print $fh " \"$msg\"\n",
4358		" sid=$sid chain=$chain packets=$pkts dp=$dp ",
4359		"[*] Your machine is listening on $proto port: $dp!\n";
4360		}
4361		} else {
4362		if ($flags) {
4363		print $fh " \"$msg\"\n",
4364		" sid=$sid chain=$chain packets=$pkts dp=$dp flags=[$flags] ",
4365		"No local server on $proto/$dp\n";
4366		} else {
4367		print $fh " \"$msg\"\n",
4368		" sid=$sid chain=$chain packets=$pkts dp=$dp No local ",
4369		"server on $proto/$dp\n";
4370		}
4371		}
4372		} else {
4373		if ($flags) {
4374		print $fh " \"$msg\"\n",
4375		" sid=$sid chain=$chain packets=$pkts dp=$dp flags=[$flags]\n";
4376		} else {
4377		print $fh " \"$msg\"\n",
4378		" sid=$sid chain=$chain packets=$pkts dp=$dp\n";
4379		}
4380		}
4381		}
4382		} else {
4383		my $pkts = $scan{$src}{$dst}{$proto}
4384		{'curr_sig'}{$sid}{$chain}{'pkts'};
4385		print $fh qq( "$msg" sid=$sid chain=$chain packets=$pkts\n);
4386		}
4387		### signature logging with syslog is not yet supported
4388		### (requires a message for each matched signature).
4389		# if ($sigmatch =~ /^(\".*\")/) {
4390		# $syslog_sig_title = "signature=$1";
4391		# }
4392		}
4393		}
	4363
4394	4364	### need to delete the current signature so it
4395	4365	### won't show up in the next alert
4396	4366	unless ($config{'SHOW_ALL_SIGNATURES'} eq 'Y') {
4397		~~delete $href->{'curr_sig'}~~
4398		~~if defined $href->{'curr_sig'};~~
4399	4367	delete $href->{'sid'}
4400	4368	if defined $href->{'sid'};

Navigation

Changeset 1662

Legend:

psad/branches/sigdevel/psad

Download in other formats: