Blob Blame History Raw
diff -up psad-2.4.6/ChangeLog.i53 psad-2.4.6/ChangeLog
--- psad-2.4.6/ChangeLog.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/ChangeLog	2019-02-25 14:22:20.077778479 +0100
@@ -14,6 +14,7 @@
       'metadata' Snort rule field in psad email alerts.
     - Updated to bundle the latest Emerging Threats rule set in
       deps/snort_rules.
+    - Switch to the 'ss' command instead of 'netstat' to detect local servers.
 
 psad-2.4.5 (06/13/2017):
     - Added proper port sweep detection based on a single port being probed
diff -up psad-2.4.6/psad.conf.i53 psad-2.4.6/psad.conf
--- psad-2.4.6/psad.conf.i53	2019-02-25 14:22:20.079778497 +0100
+++ psad-2.4.6/psad.conf	2019-02-25 14:22:35.483913888 +0100
@@ -683,6 +683,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         /usr/bin/whois;
diff -up psad-2.4.6/psad.i53 psad-2.4.6/psad
--- psad-2.4.6/psad.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/psad	2019-02-25 14:22:20.079778497 +0100
@@ -3380,8 +3380,9 @@ sub psad_init() {
 
     ### check to make sure the commands specified in the config section
     ### are in the right place, and attempt to correct automatically if not.
-    ### (wget is only needed in --sig-update mode)
-    my %cmd_exceptions = ('wget' => '');
+    ### (wget is only needed in --sig-update mode). Also, 'ss' is used by
+    ### default instead of netstat.
+    my %cmd_exceptions = ('wget'=>'', 'netstat'=>'');
     $cmd_exceptions{'ifconfig'} = '' if $config{'IFCFGTYPE'} =~ /iproute2/i;
     &check_commands(\%cmd_exceptions);
 
@@ -7506,14 +7507,48 @@ sub get_local_ips() {
 
 sub get_listening_ports() {
     %local_ports = ();
-    my @lines = @{&run_command($cmds{'netstat'}, '-an 2> /dev/null')};
-    return unless @lines;
-    for my $line (@lines) {
-        next unless $line;
-        chomp $line;
-        if ($line =~ m/^\s*(tcp|udp)\s+\d+\s+\d+\s+\S+:(\d+)\s/) {
-            ### $1 == protocol (tcp/udp), $2 == port number
-            $local_ports{$1}{$2} = '';
+
+    if (defined $cmds{'ss'} and -x $cmds{'ss'}) {
+        ### UDP first
+        ### UNCONN     0      0            *:5353            *:*
+        my @lines = @{&run_command($cmds{'ss'}, '-l -u -n 2> /dev/null')};
+        return unless @lines;
+        for my $line (@lines) {
+            next unless $line;
+            chomp $line;
+            if ($line =~ m/UNCONN\s+\S+\s+\S+\s+\S+\:(\d+)/) {
+                $local_ports{'udp'}{$1} = '';
+            }
+        }
+
+        ### now TCP
+        ### LISTEN     0      128          *:22              *:*
+        @lines = @{&run_command($cmds{'ss'}, '-l -t -n 2> /dev/null')};
+        return unless @lines;
+        for my $line (@lines) {
+            next unless $line;
+            chomp $line;
+            if ($line =~ m/LISTEN\s+\S+\s+\S+\s+\S+\:(\d+)/) {
+                $local_ports{'tcp'}{$1} = '';
+            }
+        }
+
+    } else {
+        my @lines = @{&run_command($cmds{'netstat'}, '-an 2> /dev/null')};
+        return unless @lines;
+        for my $line (@lines) {
+            next unless $line;
+            chomp $line;
+            if ($line =~ m/^\s*(tcp|udp)\s+\d+\s+\d+\s+\S+:(\d+)/) {
+                my $proto = $1;
+                my $port  = $2;
+                if ($proto eq 'tcp') {
+                    if ($line !~ /LISTEN/) {
+                        next;
+                    }
+                }
+                $local_ports{$1}{$2} = '';
+            }
         }
     }
     return;
@@ -10829,7 +10864,7 @@ sub download_signatures() {
     &archive_conf($config{'SIGS_FILE'});
 
     ### for wget
-    &check_commands({'sendmail'=>'', 'mail'=>''});
+    &check_commands({'sendmail'=>'', 'mail'=>'', 'netstat'=>''});
 
     my $curr_pwd = getcwd();
     chdir '/tmp' or die $!;
@@ -11096,6 +11131,16 @@ sub check_commands() {
         }
     }
 
+    ### if 'ss' is not available make sure netstat is there as a fall back
+    unless (defined $cmds{'ss'} and -x $cmds{'ss'}) {
+        if (defined $cmds{'netstat'}) {
+            unless (-x $cmds{'netstat'}) {
+                die "[*] Neither 'ss' nor 'netstat' commands are available.";
+            }
+        } else {
+            die "[*] Neither 'ss' nor 'netstat' commands are available.";
+        }
+    }
     return;
 }
 
diff -up psad-2.4.6/test/conf/auto_blocking.conf.i53 psad-2.4.6/test/conf/auto_blocking.conf
--- psad-2.4.6/test/conf/auto_blocking.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/auto_blocking.conf	2019-02-25 14:22:20.079778497 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/auto_min_dl5_blocking.conf.i53 psad-2.4.6/test/conf/auto_min_dl5_blocking.conf
--- psad-2.4.6/test/conf/auto_min_dl5_blocking.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/auto_min_dl5_blocking.conf	2019-02-25 14:22:20.079778497 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/default_psad.conf.i53 psad-2.4.6/test/conf/default_psad.conf
--- psad-2.4.6/test/conf/default_psad.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/default_psad.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/disable_ipv6_detection.conf.i53 psad-2.4.6/test/conf/disable_ipv6_detection.conf
--- psad-2.4.6/test/conf/disable_ipv6_detection.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/disable_ipv6_detection.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/enable_ack_detection.conf.i53 psad-2.4.6/test/conf/enable_ack_detection.conf
--- psad-2.4.6/test/conf/enable_ack_detection.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/enable_ack_detection.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_igmp.conf.i53 psad-2.4.6/test/conf/ignore_igmp.conf
--- psad-2.4.6/test/conf/ignore_igmp.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_igmp.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_intf.conf.i53 psad-2.4.6/test/conf/ignore_intf.conf
--- psad-2.4.6/test/conf/ignore_intf.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_intf.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_tcp.conf.i53 psad-2.4.6/test/conf/ignore_tcp.conf
--- psad-2.4.6/test/conf/ignore_tcp.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_tcp.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/ignore_udp.conf.i53 psad-2.4.6/test/conf/ignore_udp.conf
--- psad-2.4.6/test/conf/ignore_udp.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/ignore_udp.conf	2019-02-25 14:22:20.080778506 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf.i53 psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf
--- psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/require_DROP_syslog_prefix_str.conf	2019-02-25 14:22:20.081778514 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
diff -up psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf.i53 psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf
--- psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf.i53	2018-08-01 02:41:59.000000000 +0200
+++ psad-2.4.6/test/conf/require_missing_syslog_prefix_str.conf	2019-02-25 14:22:20.081778514 +0100
@@ -201,6 +201,7 @@ sendmailCmd      /usr/sbin/sendmail;
 ifconfigCmd      /sbin/ifconfig;
 ipCmd            /sbin/ip;
 killallCmd       /usr/bin/killall;
+ssCmd            /bin/ss;
 netstatCmd       /bin/netstat;
 unameCmd         /bin/uname;
 whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;