Changeset 1664
- Timestamp:
- 11/16/06 20:59:00 (2 years ago)
- Files:
-
- psad/branches/sigdevel/psad (modified) (22 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
psad/branches/sigdevel/psad
r1662 r1664 229 229 ### (http://www.cipherdyne.org/fwsnort/) will automatically 230 230 ### build such a ruleset from snort signatures. 231 my % snort_msgs = ();231 my %fwsnort_sigs = (); 232 232 233 233 ### Cache snort classification.config file for class priorities … … 1245 1245 unless ($no_snort_sids) { 1246 1246 if ($pkt{'fwsnort_sid'}) { 1247 1247 1248 ### found a snort sid in the packet log message 1248 1249 my $dl = &add_snort_sid(\%pkt); 1250 1249 1251 $curr_sids_dl{$pkt{'src'}} = $dl if $dl; 1252 1250 1253 } else { 1251 1254 ### attempt to match any tcp/udp/icmp signatures in the … … 1410 1413 ($pkt_hr->{'flags'} =~ /ACK/ || $pkt_hr->{'flags'} =~ /RST/)) { 1411 1414 1412 ### $dp > 1024 && ($pkt_hr->{'flags'} =~ /ACK/ ||1415 ### $dp > 1024 && ($pkt_hr->{'flags'} =~ /ACK/ || 1413 1416 1414 1417 ### FIXME: ignore TCP packets that have the ACK or RST … … 1422 1425 return $PKT_IGNORE; 1423 1426 } 1427 1424 1428 ### per page 595 of the Camel book, "if /blah1|blah2/" 1425 1429 ### can be slower than "if /blah1/ || /blah2/ … … 1704 1708 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++; 1705 1709 1710 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'tcp'} 1711 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'is_fwsnort'} = 0; 1712 1706 1713 } 1707 1714 } elsif ($sig_hr->{'proto'} eq 'udp') { … … 1714 1721 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'dp'} 1715 1722 = $pkt_hr->{'dp'}; 1723 1716 1724 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'udp'} 1717 1725 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++; 1726 1727 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'udp'} 1728 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'is_fwsnort'} = 0; 1718 1729 } 1719 1730 } elsif ($sig_hr->{'proto'} eq 'icmp') { … … 1748 1759 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'icmp'}{'sid'} 1749 1760 {$sid}{$pkt_hr->{'chain'}}{'pkts'}++; 1761 1762 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'icmp'}{'sid'} 1763 {$sid}{$pkt_hr->{'chain'}}{'is_fwsnort'} = 0; 1750 1764 } 1751 1765 } … … 1781 1795 "$sig_hr->{'sid'} (psad_id: $sig_hr->{'psad_id'})\n"; 1782 1796 } 1783 return $sig_hr->{'dl'}; 1797 1798 return &get_largest_sid_dl($sig_hr->{'sid'}, 1799 $sig_hr->{'dl'}, $sig_hr->{'classtype'}); 1784 1800 } 1785 1801 … … 1802 1818 "$sig_hr->{'sid'} (psad_id: $sig_hr->{'psad_id'})\n"; 1803 1819 } 1804 return $sig_hr->{'dl'}; 1820 1821 return &get_largest_sid_dl($sig_hr->{'sid'}, 1822 $sig_hr->{'dl'}, $sig_hr->{'classtype'}); 1805 1823 } 1806 1824 … … 1828 1846 "$sig_hr->{'sid'} (psad_id: $sig_hr->{'psad_id'})\n"; 1829 1847 } 1830 return $sig_hr->{'dl'}; 1848 1849 return &get_largest_sid_dl($sig_hr->{'sid'}, 1850 $sig_hr->{'dl'}, $sig_hr->{'classtype'}); 1831 1851 } 1832 1852 … … 1855 1875 {$sig_hr->{'sid'}}{$pkt_hr->{'chain'}}{'pkts'}++; 1856 1876 1857 return $sig_hr->{'dl'} 1877 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{'ip'}{'sid'} 1878 {$sig_hr->{'sid'}}{$pkt_hr->{'chain'}}{'is_fwsnort'} = 0; 1879 1880 return &get_largest_sid_dl($sig_hr->{'sid'}, 1881 $sig_hr->{'dl'}, $sig_hr->{'classtype'}); 1858 1882 } 1859 1883 return 1; … … 2171 2195 } 2172 2196 2197 sub get_largest_sid_dl() { 2198 my ($sid, $sig_dl, $classtype) = @_; 2199 2200 my $dl = $sig_dl; 2201 2202 ### see if /etc/psad/snort_rule_dl gives a higher DL 2203 if (defined $snort_rule_dl{$sid}) { 2204 if ($snort_rule_dl{$sid} > $dl) { 2205 print STDERR "[+] get_largest_sid_dl() snort_rule_dl ", 2206 "assigning SID $sid a danger level of ", 2207 "$snort_rule_dl{$sid}\n" if $debug; 2208 $dl = $snort_rule_dl{$sid}; 2209 } 2210 } 2211 2212 ### see if /etc/psad/snort_rules/classification.config gives 2213 ### a higher DL 2214 if (defined $snort_class_dl{$classtype}) { 2215 if ($snort_class_dl{$classtype} > $dl) { 2216 print STDERR "[+] get_largest_sid_dl() classification.config ", 2217 "assigning SID $sid a danger level of ", 2218 "$snort_class_dl{$classtype}\n" if $debug; 2219 $dl = $snort_class_dl{$classtype}; 2220 } 2221 } 2222 2223 return $dl; 2224 } 2225 2173 2226 sub add_snort_sid() { 2174 2227 my $pkt_hr = shift; … … 2176 2229 my $sid = $pkt_hr->{'fwsnort_sid'}; 2177 2230 2178 if (defined $ snort_msgs{$sid}) {2231 if (defined $fwsnort_sigs{$sid}) { 2179 2232 2180 2233 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{$pkt_hr->{'proto'}} 2181 2234 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'pkts'}++; 2182 2235 2183 my $classtype = $snort_msgs{$sid}{'classtype'}; 2184 2185 ### first see if the /etc/psad/snort_rule_dl file has defined 2186 ### the danger level 2187 if (defined $snort_rule_dl{$sid}) { 2188 print STDERR "[+] snort_rule_dl assigning SID $sid a danger ", 2189 "level of $snort_rule_dl{$sid}\n" if $debug; 2190 return $snort_rule_dl{$sid}; 2191 ### now see if the rule itself has a priority defined (note that 2192 ### this value has already been converted into a valid psad 2193 ### danger level. 2194 } elsif (defined $snort_msgs{$sid}{'priority'}) { 2195 print STDERR "[+] Snort rule contains priority field, ", 2196 "assigning SID $sid a danger level of ", 2197 "$snort_msgs{$sid}{'priority'}\n" if $debug; 2198 return $snort_msgs{$sid}{'priority'}; 2199 } elsif (defined $snort_class_dl{$classtype}) { 2200 print STDERR "[+] classification.config assigning SID $sid ", 2201 "a danger level of $snort_class_dl{$classtype}\n" if $debug; 2202 return $snort_class_dl{$classtype}; 2203 } else { 2204 print STDERR "[-] No classification or rule dl defined for ", 2205 "SID $sid\n" if $debug; 2206 return 2; 2207 } 2236 $scan{$pkt_hr->{'src'}}{$pkt_hr->{'dst'}}{$pkt_hr->{'proto'}} 2237 {'sid'}{$sid}{$pkt_hr->{'chain'}}{'is_fwsnort'} = 1; 2238 2239 2240 return &get_largest_sid_dl($sid, 2, $fwsnort_sigs{$sid}{'classtype'}); 2241 2208 2242 } 2209 2243 return 0; … … 2777 2811 } 2778 2812 2779 $ snort_msgs{$sid}{'msg'} = $12813 $fwsnort_sigs{$sid}{'msg'} = $1 2780 2814 if $line =~ /msg:\s*\"(.*?)\"\s*;/; 2781 2815 2782 $snort_msgs{$sid}{'classtype'} = $1 2783 if $line =~ /[\s;]classtype:\s*(.*?)\s*;/; 2784 2785 $snort_msgs{$sid}{'priority'} = &convert_snort_priority($1) 2816 if ($line =~ /[\s;]classtype:\s*(.*?)\s*;/) { 2817 $fwsnort_sigs{$sid}{'classtype'} = $1; 2818 } else { 2819 $fwsnort_sigs{$sid}{'classtype'} = ''; 2820 } 2821 2822 $fwsnort_sigs{$sid}{'priority'} = &convert_snort_priority($1) 2786 2823 if $line =~ /[\s;]priority:\s*(\d+)\s*;/; 2787 2824 … … 2790 2827 ### multiple content strings. 2791 2828 while ($line =~ /[\s;](?:uri)?content:\s*\"(.*?)\"\s*;/g) { 2792 push @{$ snort_msgs{$sid}{'content'}}, $1;2829 push @{$fwsnort_sigs{$sid}{'content'}}, $1; 2793 2830 } 2794 2831 … … 2797 2834 if ($ref =~ /^(\w+),(\S+)/) { 2798 2835 ### reference:bugtraq,9732; 2799 push @{$ snort_msgs{$sid}{'reference'}{lc($1)}}, $2;2800 } 2801 } 2802 2803 next RULE unless defined $ snort_msgs{$sid}{'msg'}2804 and defined $ snort_msgs{$sid}{'classtype'}2805 and defined $ snort_msgs{$sid}{'content'};2836 push @{$fwsnort_sigs{$sid}{'reference'}{lc($1)}}, $2; 2837 } 2838 } 2839 2840 next RULE unless defined $fwsnort_sigs{$sid}{'msg'} 2841 and defined $fwsnort_sigs{$sid}{'classtype'} 2842 and defined $fwsnort_sigs{$sid}{'content'}; 2806 2843 } 2807 2844 } … … 2817 2854 &import_snort_rule_dl(); 2818 2855 2819 print STDERR Dumper % snort_msgs if $debug and $verbose;2856 print STDERR Dumper %fwsnort_sigs if $debug and $verbose; 2820 2857 &Psad::psyslog('psad', 'imported Snort rules') 2821 2858 unless $no_syslog_alerts; … … 3023 3060 } 3024 3061 3062 ### classtype field 3063 if ($rule_options =~ /[\s;]classtype:\s*(.+?)\s*;/) { 3064 $sig{'classtype'} = $1; 3065 } else { 3066 $sig{'classtype'} = ''; 3067 } 3068 3069 ### reference field 3070 3071 while ($rule_options =~ /[\s;]reference:\s*(.*?)\s*;/g) { 3072 my $ref = $1; 3073 if ($ref =~ /^(\w+),(\S+)/) { 3074 ### reference:bugtraq,9732; 3075 push @{$sig{'reference'}{lc($1)}}, $2; 3076 } 3077 } 3078 3025 3079 ### psad danger level 3026 3080 $sig{'dl'} = 2; ### default danger level 3027 if ($rule_options =~ / psad_dl:\s*(\d+)/) {3081 if ($rule_options =~ /[\s;]psad_dl:\s*(\d+)/) { 3028 3082 $sig{'dl'} = $1; 3029 3083 } … … 4287 4341 for my $sid (keys %{$href->{'sid'}}) { 4288 4342 for my $chain (keys %{$href->{'sid'}->{$sid}}) { 4289 next unless defined $snort_msgs{$sid}; 4290 my $sm_hr = $snort_msgs{$sid}; 4343 4344 my $sig_hr = ''; 4345 my $is_fwsnort = $href->{'sid'}->{$sid} 4346 ->{$chain}->{'is_fwsnort'}; 4347 4348 if ($is_fwsnort) { 4349 next unless defined $fwsnort_sigs{$sid}; 4350 $sig_hr = $fwsnort_sigs{$sid}; 4351 } else { 4352 next unless defined $sigs{$sid}; 4353 $sig_hr = $sigs{$sid}; 4354 } 4291 4355 4292 4356 my $dp = -1; … … 4298 4362 my $pkts = $href->{'sid'}->{$sid}->{$chain}->{'pkts'}; 4299 4363 4300 print $fh qq| "$s m_hr->{'msg'}"\n|;4364 print $fh qq| "$sig_hr->{'msg'}"\n|; 4301 4365 if ($proto eq 'tcp' or $proto eq 'udp') { 4302 4366 if ($chain eq 'INPUT') { … … 4314 4378 } 4315 4379 } 4316 for my $content (@{$sm_hr->{'content'}}) { 4317 print $fh qq( content: "$content"\n); 4380 4381 if ($is_fwsnort) { 4382 for my $content (@{$sig_hr->{'content'}}) { 4383 print $fh qq( content: "$content"\n); 4384 } 4318 4385 } 4319 print $fh " sid: $sid\n", 4320 " chain: $chain\n", 4321 " packets: $pkts\n", 4322 " classtype: $sm_hr->{'classtype'}\n"; 4323 if (defined $sm_hr->{'reference'}) { 4324 for my $reftype (keys %{$sm_hr->{'reference'}}) { 4386 print $fh " sid: $sid\n"; 4387 if (defined $sig_hr->{'psad_derived_sids'}) { 4388 my $sid_str = ''; 4389 $sid_str .= "$_ " 4390 for @{$sig_hr->{'psad_derived_sids'}}; 4391 $sid_str =~ s|\s*$||; 4392 print $fh "derived sids: $sid_str\n"; 4393 } 4394 print $fh " chain: $chain\n", 4395 " packets: $pkts\n"; 4396 4397 if ($sig_hr->{'classtype'}) { 4398 print $fh " classtype: $sig_hr->{'classtype'}\n"; 4399 } 4400 if (defined $sig_hr->{'reference'} 4401 and $sig_hr->{'reference'}) { 4402 for my $reftype (keys %{$sig_hr->{'reference'}}) { 4325 4403 my $baseurl = ''; 4326 4404 if (defined $snort_ref_baseurl{$reftype}) { … … 4329 4407 next; 4330 4408 } 4331 for my $ref (@{$s m_hr->{'reference'}->{$reftype}}) {4409 for my $ref (@{$sig_hr->{'reference'}->{$reftype}}) { 4332 4410 print $fh " reference: ($reftype) ", 4333 4411 "${baseurl}$ref\n";
