Mike & all,
I had a slight problem with using psad on my system and decided to fix it.
For some while now, I've always preferred using iproute2 commands to configure 
the network.
The output of 'ip addr' and 'ifconfig -a' are different, so I decided to allow 
psad to
work using the iproute2 format.

Another main reason for doing this is in the case of multi-homed hosts.
ifconfig sets these up on an interface using aliases, iproute2 does not.
So, for a multi-homed interface (eth0 with multiple addresses), ifconfig -a 
only shows
the first one configured and not the rest.  ip addr shows all of the configured 
addresses.

So, anyway - the patch.  It involves three files: psad.conf, psad, and 
fwcheck_psad.pl.
psad.conf was modified to:
        - include a config option for what mode to run in - ifconfig or 
iproute2.
                It defaults to ifconfig if it is not explicitly set to iproute2.
        - include a location for the ip command (/sbin/ip)
psad and fwcheck_psad.pl were modified to:
        - parse the output of 'ip addr' when the config option (IFCFGTYPE)
                is set to 'iproute2'.  It is not a required option and is 
commented out
                in psad.conf.

The patch is attached.  Let me know if it doesn't come through the list ok,
I can send it to whomever would like it, and I hope that this works it's way 
into
the next release of psad.

Enjoy!   And thank you for psad in the first place.
        -Dan Dickey
diff -ur psad-2.1.5/fwcheck_psad.pl psad-2.1.5.new/fwcheck_psad.pl
--- psad-2.1.5/fwcheck_psad.pl	2008-08-31 08:46:47.000000000 -0500
+++ psad-2.1.5.new/fwcheck_psad.pl	2010-03-04 13:20:53.000000000 -0600
@@ -188,7 +188,7 @@
 
 sub check_forwarding() {
     ### check to see if there are multiple interfaces on the
-    ### machine and return false if no since the machine will
+    ### machine and return false if not since the machine will
     ### not be able to forward packets anyway (e.g. desktop
     ### machines).  Also return false if forwarding is turned
     ### off (we have to trust the machine config is as the
@@ -206,18 +206,49 @@
             "    The PROC_FORWARD_FILE in $config_file points to\n",
             "    $config{'PROC_FORWARD_FILE'}";
     }
-    open IFC, "$cmds{'ifconfig'} -a |" or die "[*] Could not ",
-        "execute: $cmds{'ifconfig'} -a: $!";
-    my @if_out = <IFC>;
-    close IFC;
-    my $num_intf = 0;
-    for my $line (@if_out) {
-        if ($line =~ /inet\s+/i && $line !~ /127\.0\.0\.1/) {
+    if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~ /iproute2/i) {
+        open IFC, "$cmds{'ip'} addr |" or die "[*] Could not ",
+            "execute: $cmds{'ip'} addr: $!";
+        my @if_out = <IFC>;
+        close IFC;
+        my $intf_name = '';
+        my $intf_inet_count = 0;
+        my $num_intf = 0;
+        for my $line (@if_out) {
+            if ($line =~ /^\d+:\s+(\S+): </) {
+                $intf_name = $1;
+                if ($intf_inet_count > 0) {
+                    $num_intf++;
+                }
+                $intf_inet_count = 0;
+                next;
+            }
+            next if $intf_name eq 'lo';
+            next if $intf_name =~ /dummy/i;
+            if ($line =~ /inet\s+/i) {
+                $intf_inet_count++;
+            }
+        }
+        if ($intf_inet_count > 0) {
             $num_intf++;
         }
-    }
-    if ($num_intf < 2) {
-        return 0;
+        if ($num_intf < 2) {
+            return 0;
+        }
+    } else {
+        open IFC, "$cmds{'ifconfig'} -a |" or die "[*] Could not ",
+            "execute: $cmds{'ifconfig'} -a: $!";
+        my @if_out = <IFC>;
+        close IFC;
+        my $num_intf = 0;
+        for my $line (@if_out) {
+            if ($line =~ /inet\s+/i && $line !~ /127\.0\.0\.1/) {
+                $num_intf++;
+            }
+        }
+        if ($num_intf < 2) {
+            return 0;
+        }
     }
     return 1;
 }
diff -ur psad-2.1.5/psad psad-2.1.5.new/psad
--- psad-2.1.5/psad	2009-02-20 22:29:50.000000000 -0600
+++ psad-2.1.5.new/psad	2010-03-04 13:09:14.000000000 -0600
@@ -2652,7 +2652,7 @@
     require Unix::Syslog;
     require Storable if $store_file;
 
-    Net::IPv4Addr->import(qw(ipv4_network ipv4_in_network ipv4_broadcast));
+    Net::IPv4Addr->import(qw(ipv4_network ipv4_in_network ipv4_broadcast ipv4_cidr2msk));
     Date::Calc->import(qw(Timezone This_Year Decode_Month
             Today Date_to_Time Mktime Localtime));
     Unix::Syslog->import(qw(:subs :macros));
@@ -2987,24 +2987,45 @@
 }
 
 sub get_connected_subnets() {
-    my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
     my @connected_subnets = ();
     my @connected_subnets_cidr = ();
-    my $intf_name    = '';
-    my $home_net_str = '';
-    for my $line (@ifconfig_out) {
-        if ($line =~ /^(\S+)\s+Link/) {
-            $intf_name = $1;
-            next;
+    if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~ /iproute2/i) {
+        my @ifconfig_out = @{&run_command($cmds{'ip'}, 'addr')};
+        my $intf_name    = '';
+        my $home_net_str = '';
+        for my $line (@ifconfig_out) {
+            if ($line =~ /^\d+:\s+(\S+): </) {
+                $intf_name = $1;
+                next;
+            }
+            next if $intf_name eq 'lo';
+            next if $intf_name =~ /dummy/i;
+            if ($line =~ /^\s+inet.*?($ip_re)\/(\d+)/i) {
+                my $ip = $1;
+                my $msk = ipv4_cidr2msk($2);
+                my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
+                push @connected_subnets, "$net_addr/$msk";
+                push @connected_subnets_cidr, "$net_addr/$cidr_msk";
+            }
         }
-        next if $intf_name eq 'lo';
-        next if $intf_name =~ /dummy/i;
-        if ($line =~ /^\s+inet.*?:($ip_re).*:($ip_re)/i) {
-            my $ip  = $1;
-            my $msk = $2;
-            my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
-            push @connected_subnets, "$net_addr/$msk";
-            push @connected_subnets_cidr, "$net_addr/$cidr_msk";
+    } else {
+        my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
+        my $intf_name    = '';
+        my $home_net_str = '';
+        for my $line (@ifconfig_out) {
+            if ($line =~ /^(\S+)\s+Link/) {
+                $intf_name = $1;
+                next;
+            }
+            next if $intf_name eq 'lo';
+            next if $intf_name =~ /dummy/i;
+            if ($line =~ /^\s+inet.*?:($ip_re).*:($ip_re)/i) {
+                my $ip  = $1;
+                my $msk = $2;
+                my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
+                push @connected_subnets, "$net_addr/$msk";
+                push @connected_subnets_cidr, "$net_addr/$cidr_msk";
+            }
         }
     }
     return \...@connected_subnets, \...@connected_subnets_cidr;
@@ -6431,11 +6452,25 @@
 
 sub get_local_ips() {
     print STDERR "[+] get_local_ips()\n" if $debug;
-    my @ips = @{&run_command($cmds{'ifconfig'}, '-a')};
-    return unless @ips;
-    for my $line (@ips) {
-        if ($line =~ /inet\s+.*?:($ip_re)\s/) {
-            $local_ips{$1} = '';
+    if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~ /iproute2/i) {
+        print STDERR "[+] : Using IFCFGTYPE iproute2\n" if $debug;
+        my @ips = @{&run_command($cmds{'ip'}, 'addr')};
+        return unless @ips;
+        for my $line (@ips) {
+            if ($line =~ /inet\s+($ip_re)\/\d+\s/) {
+                print STDERR "[+] : Adding $1 to local_ips\n" if $debug;
+                $local_ips{$1} = '';
+            }
+        }
+    } else {
+        print STDERR "[+] : Using IFCFGTYPE ifconfig\n" if $debug;
+        my @ips = @{&run_command($cmds{'ifconfig'}, '-a')};
+        return unless @ips;
+        for my $line (@ips) {
+            if ($line =~ /inet\s+.*?:($ip_re)\s/) {
+                print STDERR "[+] : Adding $1 to local_ips\n" if $debug;
+                $local_ips{$1} = '';
+            }
         }
     }
     return;
@@ -9250,13 +9285,25 @@
     }
     print $fh "\n";
 
-    print $fh "[+] ifconfig output:\n";
-    my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
-    if (@ifconfig_out) {
-        for (@ifconfig_out) {
-            s/$ip_re/x.x.x.x/g;
-            s/inet6\s+addr:\s+\S+/inet6 addr: (removed)/;
-            print $fh $_;
+    if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~ /iproute2/i) {
+        print $fh "[+] ip addr output:\n";
+        my @ifconfig_out = @{&run_command($cmds{'ip'}, 'addr')};
+        if (@ifconfig_out) {
+            for (@ifconfig_out) {
+                s/$ip_re/x.x.x.x/g;
+                s/inet6\s+\S+/inet6 (removed)/;
+                print $fh $_;
+            }
+        }
+    } else {
+        print $fh "[+] ifconfig output:\n";
+        my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
+        if (@ifconfig_out) {
+            for (@ifconfig_out) {
+                s/$ip_re/x.x.x.x/g;
+                s/inet6\s+addr:\s+\S+/inet6 addr: (removed)/;
+                print $fh $_;
+            }
         }
     }
     print $fh "\n";
diff -ur psad-2.1.5/psad.conf psad-2.1.5.new/psad.conf
--- psad-2.1.5/psad.conf	2008-10-26 17:58:35.000000000 -0500
+++ psad-2.1.5.new/psad.conf	2010-03-04 13:08:07.000000000 -0600
@@ -30,6 +30,12 @@
 HOME_NET                    any;
 EXTERNAL_NET                any;
 
+### What type of interface configuration do you use?
+### Uncomment this to use the iproute2 type configuration.
+### iproute2 does not use aliases for multi-homed interfaces and
+### ifconfig does not show secondary addresses for multi-homed interfaces.
+#IFCFGTYPE  iproute2;
+
 ### The FW_SEARCH_ALL variable controls has psad will parse iptables
 ### messages.  If it is set to "Y" then psad will parse all iptables
 ### messages for evidence of scan activity.  If it is set to "N" then
@@ -516,6 +522,7 @@
 mailCmd          /bin/mail;
 sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
+ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to