diff -up psad-2.4.6/ChangeLog.i53 psad-2.4.6/ChangeLog
--- psad-2.4.6/ChangeLog.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/ChangeLog 2019-02-25 14:22:20.077778479 +0100
@@ -14,6 +14,7 @@
'metadata' Snort rule field in psad email alerts.
- Updated to bundle the latest Emerging Threats rule set in
deps/snort_rules.
+ - Switch to the 'ss' command instead of 'netstat' to detect local servers.
psad-2.4.5 (06/13/2017):
- Added proper port sweep detection based on a single port being probed
diff -up psad-2.4.6/psad.conf.i53 psad-2.4.6/psad.conf
--- psad-2.4.6/psad.conf.i53 2019-02-25 14:22:20.079778497 +0100
+++ psad-2.4.6/psad.conf 2019-02-25 14:22:35.483913888 +0100
@@ -683,6 +683,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd /usr/bin/whois;
diff -up psad-2.4.6/psad.i53 psad-2.4.6/psad
--- psad-2.4.6/psad.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/psad 2019-02-25 14:22:20.079778497 +0100
@@ -3380,8 +3380,9 @@ sub psad_init() {
### check to make sure the commands specified in the config section
### are in the right place, and attempt to correct automatically if not.
- ### (wget is only needed in --sig-update mode)
- my %cmd_exceptions = ('wget' => '');
+ ### (wget is only needed in --sig-update mode). Also, 'ss' is used by
+ ### default instead of netstat.
+ my %cmd_exceptions = ('wget'=>'', 'netstat'=>'');
$cmd_exceptions{'ifconfig'} = '' if $config{'IFCFGTYPE'} =~ /iproute2/i;
&check_commands(\%cmd_exceptions);
@@ -7506,14 +7507,48 @@ sub get_local_ips() {
sub get_listening_ports() {
%local_ports = ();
- my @lines = @{&run_command($cmds{'netstat'}, '-an 2> /dev/null')};
- return unless @lines;
- for my $line (@lines) {
- next unless $line;
- chomp $line;
- if ($line =~ m/^\s*(tcp|udp)\s+\d+\s+\d+\s+\S+:(\d+)\s/) {
- ### $1 == protocol (tcp/udp), $2 == port number
- $local_ports{$1}{$2} = '';
+
+ if (defined $cmds{'ss'} and -x $cmds{'ss'}) {
+ ### UDP first
+ ### UNCONN 0 0 *:5353 *:*
+ my @lines = @{&run_command($cmds{'ss'}, '-l -u -n 2> /dev/null')};
+ return unless @lines;
+ for my $line (@lines) {
+ next unless $line;
+ chomp $line;
+ if ($line =~ m/UNCONN\s+\S+\s+\S+\s+\S+\:(\d+)/) {
+ $local_ports{'udp'}{$1} = '';
+ }
+ }
+
+ ### now TCP
+ ### LISTEN 0 128 *:22 *:*
+ @lines = @{&run_command($cmds{'ss'}, '-l -t -n 2> /dev/null')};
+ return unless @lines;
+ for my $line (@lines) {
+ next unless $line;
+ chomp $line;
+ if ($line =~ m/LISTEN\s+\S+\s+\S+\s+\S+\:(\d+)/) {
+ $local_ports{'tcp'}{$1} = '';
+ }
+ }
+
+ } else {
+ my @lines = @{&run_command($cmds{'netstat'}, '-an 2> /dev/null')};
+ return unless @lines;
+ for my $line (@lines) {
+ next unless $line;
+ chomp $line;
+ if ($line =~ m/^\s*(tcp|udp)\s+\d+\s+\d+\s+\S+:(\d+)/) {
+ my $proto = $1;
+ my $port = $2;
+ if ($proto eq 'tcp') {
+ if ($line !~ /LISTEN/) {
+ next;
+ }
+ }
+ $local_ports{$1}{$2} = '';
+ }
}
}
return;
@@ -10829,7 +10864,7 @@ sub download_signatures() {
&archive_conf($config{'SIGS_FILE'});
### for wget
- &check_commands({'sendmail'=>'', 'mail'=>''});
+ &check_commands({'sendmail'=>'', 'mail'=>'', 'netstat'=>''});
my $curr_pwd = getcwd();
chdir '/tmp' or die $!;
@@ -11096,6 +11131,16 @@ sub check_commands() {
}
}
+ ### if 'ss' is not available make sure netstat is there as a fall back
+ unless (defined $cmds{'ss'} and -x $cmds{'ss'}) {
+ if (defined $cmds{'netstat'}) {
+ unless (-x $cmds{'netstat'}) {
+ die "[*] Neither 'ss' nor 'netstat' commands are available.";
+ }
+ } else {
+ die "[*] Neither 'ss' nor 'netstat' commands are available.";
+ }
+ }
return;
}
diff -up psad-2.4.6/test/conf/auto_blocking.conf.i53 psad-2.4.6/test/conf/auto_blocking.conf
--- psad-2.4.6/test/conf/auto_blocking.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/auto_blocking.conf 2019-02-25 14:22:20.079778497 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/auto_min_dl5_blocking.conf.i53 psad-2.4.6/test/conf/auto_min_dl5_blocking.conf
--- psad-2.4.6/test/conf/auto_min_dl5_blocking.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/auto_min_dl5_blocking.conf 2019-02-25 14:22:20.079778497 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/default_psad.conf.i53 psad-2.4.6/test/conf/default_psad.conf
--- psad-2.4.6/test/conf/default_psad.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/default_psad.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/disable_ipv6_detection.conf.i53 psad-2.4.6/test/conf/disable_ipv6_detection.conf
--- psad-2.4.6/test/conf/disable_ipv6_detection.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/disable_ipv6_detection.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/enable_ack_detection.conf.i53 psad-2.4.6/test/conf/enable_ack_detection.conf
--- psad-2.4.6/test/conf/enable_ack_detection.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/enable_ack_detection.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_igmp.conf.i53 psad-2.4.6/test/conf/ignore_igmp.conf
--- psad-2.4.6/test/conf/ignore_igmp.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_igmp.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_intf.conf.i53 psad-2.4.6/test/conf/ignore_intf.conf
--- psad-2.4.6/test/conf/ignore_intf.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_intf.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_tcp.conf.i53 psad-2.4.6/test/conf/ignore_tcp.conf
--- psad-2.4.6/test/conf/ignore_tcp.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_tcp.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_udp.conf.i53 psad-2.4.6/test/conf/ignore_udp.conf
--- psad-2.4.6/test/conf/ignore_udp.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_udp.conf 2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf.i53 psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf
--- psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf 2019-02-25 14:22:20.081778514 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf.i53 psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf
--- psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf.i53 2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf 2019-02-25 14:22:20.081778514 +0100
@@ -201,6 +201,7 @@ sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
+ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;