On Mar 04, 2010, Dan A. Dickey wrote:
> Mike & all,
Hi Dan,
> I had a slight problem with using psad on my system and decided to fix it.
> For some while now, I've always preferred using iproute2 commands to
> configure the network.
> The output of 'ip addr' and 'ifconfig -a' are different, so I decided to
> allow psad to
> work using the iproute2 format.
>
> Another main reason for doing this is in the case of multi-homed hosts.
> ifconfig sets these up on an interface using aliases, iproute2 does not.
> So, for a multi-homed interface (eth0 with multiple addresses), ifconfig -a
> only shows
> the first one configured and not the rest. ip addr shows all of the
> configured addresses.
>
> So, anyway - the patch. It involves three files: psad.conf, psad, and
> fwcheck_psad.pl.
> psad.conf was modified to:
> - include a config option for what mode to run in - ifconfig or
> iproute2.
> It defaults to ifconfig if it is not explicitly set to iproute2.
> - include a location for the ip command (/sbin/ip)
> psad and fwcheck_psad.pl were modified to:
> - parse the output of 'ip addr' when the config option (IFCFGTYPE)
> is set to 'iproute2'. It is not a required option and is
> commented out
> in psad.conf.
>
> The patch is attached. Let me know if it doesn't come through the list ok,
> I can send it to whomever would like it, and I hope that this works it's way
> into
> the next release of psad.
Thanks for the patch - I plan on putting this in the next release.
--Mike
> Enjoy! And thank you for psad in the first place.
> -Dan Dickey
> diff -ur psad-2.1.5/fwcheck_psad.pl psad-2.1.5.new/fwcheck_psad.pl
> --- psad-2.1.5/fwcheck_psad.pl 2008-08-31 08:46:47.000000000 -0500
> +++ psad-2.1.5.new/fwcheck_psad.pl 2010-03-04 13:20:53.000000000 -0600
> @@ -188,7 +188,7 @@
>
> sub check_forwarding() {
> ### check to see if there are multiple interfaces on the
> - ### machine and return false if no since the machine will
> + ### machine and return false if not since the machine will
> ### not be able to forward packets anyway (e.g. desktop
> ### machines). Also return false if forwarding is turned
> ### off (we have to trust the machine config is as the
> @@ -206,18 +206,49 @@
> " The PROC_FORWARD_FILE in $config_file points to\n",
> " $config{'PROC_FORWARD_FILE'}";
> }
> - open IFC, "$cmds{'ifconfig'} -a |" or die "[*] Could not ",
> - "execute: $cmds{'ifconfig'} -a: $!";
> - my @if_out = <IFC>;
> - close IFC;
> - my $num_intf = 0;
> - for my $line (@if_out) {
> - if ($line =~ /inet\s+/i && $line !~ /127\.0\.0\.1/) {
> + if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~
> /iproute2/i) {
> + open IFC, "$cmds{'ip'} addr |" or die "[*] Could not ",
> + "execute: $cmds{'ip'} addr: $!";
> + my @if_out = <IFC>;
> + close IFC;
> + my $intf_name = '';
> + my $intf_inet_count = 0;
> + my $num_intf = 0;
> + for my $line (@if_out) {
> + if ($line =~ /^\d+:\s+(\S+): </) {
> + $intf_name = $1;
> + if ($intf_inet_count > 0) {
> + $num_intf++;
> + }
> + $intf_inet_count = 0;
> + next;
> + }
> + next if $intf_name eq 'lo';
> + next if $intf_name =~ /dummy/i;
> + if ($line =~ /inet\s+/i) {
> + $intf_inet_count++;
> + }
> + }
> + if ($intf_inet_count > 0) {
> $num_intf++;
> }
> - }
> - if ($num_intf < 2) {
> - return 0;
> + if ($num_intf < 2) {
> + return 0;
> + }
> + } else {
> + open IFC, "$cmds{'ifconfig'} -a |" or die "[*] Could not ",
> + "execute: $cmds{'ifconfig'} -a: $!";
> + my @if_out = <IFC>;
> + close IFC;
> + my $num_intf = 0;
> + for my $line (@if_out) {
> + if ($line =~ /inet\s+/i && $line !~ /127\.0\.0\.1/) {
> + $num_intf++;
> + }
> + }
> + if ($num_intf < 2) {
> + return 0;
> + }
> }
> return 1;
> }
> diff -ur psad-2.1.5/psad psad-2.1.5.new/psad
> --- psad-2.1.5/psad 2009-02-20 22:29:50.000000000 -0600
> +++ psad-2.1.5.new/psad 2010-03-04 13:09:14.000000000 -0600
> @@ -2652,7 +2652,7 @@
> require Unix::Syslog;
> require Storable if $store_file;
>
> - Net::IPv4Addr->import(qw(ipv4_network ipv4_in_network ipv4_broadcast));
> + Net::IPv4Addr->import(qw(ipv4_network ipv4_in_network ipv4_broadcast
> ipv4_cidr2msk));
> Date::Calc->import(qw(Timezone This_Year Decode_Month
> Today Date_to_Time Mktime Localtime));
> Unix::Syslog->import(qw(:subs :macros));
> @@ -2987,24 +2987,45 @@
> }
>
> sub get_connected_subnets() {
> - my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
> my @connected_subnets = ();
> my @connected_subnets_cidr = ();
> - my $intf_name = '';
> - my $home_net_str = '';
> - for my $line (@ifconfig_out) {
> - if ($line =~ /^(\S+)\s+Link/) {
> - $intf_name = $1;
> - next;
> + if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~
> /iproute2/i) {
> + my @ifconfig_out = @{&run_command($cmds{'ip'}, 'addr')};
> + my $intf_name = '';
> + my $home_net_str = '';
> + for my $line (@ifconfig_out) {
> + if ($line =~ /^\d+:\s+(\S+): </) {
> + $intf_name = $1;
> + next;
> + }
> + next if $intf_name eq 'lo';
> + next if $intf_name =~ /dummy/i;
> + if ($line =~ /^\s+inet.*?($ip_re)\/(\d+)/i) {
> + my $ip = $1;
> + my $msk = ipv4_cidr2msk($2);
> + my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
> + push @connected_subnets, "$net_addr/$msk";
> + push @connected_subnets_cidr, "$net_addr/$cidr_msk";
> + }
> }
> - next if $intf_name eq 'lo';
> - next if $intf_name =~ /dummy/i;
> - if ($line =~ /^\s+inet.*?:($ip_re).*:($ip_re)/i) {
> - my $ip = $1;
> - my $msk = $2;
> - my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
> - push @connected_subnets, "$net_addr/$msk";
> - push @connected_subnets_cidr, "$net_addr/$cidr_msk";
> + } else {
> + my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
> + my $intf_name = '';
> + my $home_net_str = '';
> + for my $line (@ifconfig_out) {
> + if ($line =~ /^(\S+)\s+Link/) {
> + $intf_name = $1;
> + next;
> + }
> + next if $intf_name eq 'lo';
> + next if $intf_name =~ /dummy/i;
> + if ($line =~ /^\s+inet.*?:($ip_re).*:($ip_re)/i) {
> + my $ip = $1;
> + my $msk = $2;
> + my ($net_addr, $cidr_msk) = ipv4_network($ip, $msk);
> + push @connected_subnets, "$net_addr/$msk";
> + push @connected_subnets_cidr, "$net_addr/$cidr_msk";
> + }
> }
> }
> return \...@connected_subnets, \...@connected_subnets_cidr;
> @@ -6431,11 +6452,25 @@
>
> sub get_local_ips() {
> print STDERR "[+] get_local_ips()\n" if $debug;
> - my @ips = @{&run_command($cmds{'ifconfig'}, '-a')};
> - return unless @ips;
> - for my $line (@ips) {
> - if ($line =~ /inet\s+.*?:($ip_re)\s/) {
> - $local_ips{$1} = '';
> + if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~
> /iproute2/i) {
> + print STDERR "[+] : Using IFCFGTYPE iproute2\n" if $debug;
> + my @ips = @{&run_command($cmds{'ip'}, 'addr')};
> + return unless @ips;
> + for my $line (@ips) {
> + if ($line =~ /inet\s+($ip_re)\/\d+\s/) {
> + print STDERR "[+] : Adding $1 to local_ips\n" if $debug;
> + $local_ips{$1} = '';
> + }
> + }
> + } else {
> + print STDERR "[+] : Using IFCFGTYPE ifconfig\n" if $debug;
> + my @ips = @{&run_command($cmds{'ifconfig'}, '-a')};
> + return unless @ips;
> + for my $line (@ips) {
> + if ($line =~ /inet\s+.*?:($ip_re)\s/) {
> + print STDERR "[+] : Adding $1 to local_ips\n" if $debug;
> + $local_ips{$1} = '';
> + }
> }
> }
> return;
> @@ -9250,13 +9285,25 @@
> }
> print $fh "\n";
>
> - print $fh "[+] ifconfig output:\n";
> - my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
> - if (@ifconfig_out) {
> - for (@ifconfig_out) {
> - s/$ip_re/x.x.x.x/g;
> - s/inet6\s+addr:\s+\S+/inet6 addr: (removed)/;
> - print $fh $_;
> + if (defined $config{'IFCFGTYPE'} and $config{'IFCFGTYPE'} =~
> /iproute2/i) {
> + print $fh "[+] ip addr output:\n";
> + my @ifconfig_out = @{&run_command($cmds{'ip'}, 'addr')};
> + if (@ifconfig_out) {
> + for (@ifconfig_out) {
> + s/$ip_re/x.x.x.x/g;
> + s/inet6\s+\S+/inet6 (removed)/;
> + print $fh $_;
> + }
> + }
> + } else {
> + print $fh "[+] ifconfig output:\n";
> + my @ifconfig_out = @{&run_command($cmds{'ifconfig'}, '-a')};
> + if (@ifconfig_out) {
> + for (@ifconfig_out) {
> + s/$ip_re/x.x.x.x/g;
> + s/inet6\s+addr:\s+\S+/inet6 addr: (removed)/;
> + print $fh $_;
> + }
> }
> }
> print $fh "\n";
> diff -ur psad-2.1.5/psad.conf psad-2.1.5.new/psad.conf
> --- psad-2.1.5/psad.conf 2008-10-26 17:58:35.000000000 -0500
> +++ psad-2.1.5.new/psad.conf 2010-03-04 13:08:07.000000000 -0600
> @@ -30,6 +30,12 @@
> HOME_NET any;
> EXTERNAL_NET any;
>
> +### What type of interface configuration do you use?
> +### Uncomment this to use the iproute2 type configuration.
> +### iproute2 does not use aliases for multi-homed interfaces and
> +### ifconfig does not show secondary addresses for multi-homed interfaces.
> +#IFCFGTYPE iproute2;
> +
> ### The FW_SEARCH_ALL variable controls has psad will parse iptables
> ### messages. If it is set to "Y" then psad will parse all iptables
> ### messages for evidence of scan activity. If it is set to "N" then
> @@ -516,6 +522,7 @@
> mailCmd /bin/mail;
> sendmailCmd /usr/sbin/sendmail;
> ifconfigCmd /sbin/ifconfig;
> +ipCmd /sbin/ip;
> killallCmd /usr/bin/killall;
> netstatCmd /bin/netstat;
> unameCmd /bin/uname;
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
