more reputation feed work to enable it within scan data structures

ChangeLog

@@ -1,4 +1,9 @@
 psad-3.0 (11//2018):
+    - Reputation feeds...
+    - Use File::Temp for temporary files in --sig-update and
+      --reputation-feeds-update modes. Use a dedicated directory for temporary
+      files controlled by the PSAD_TMP_DIR configuration variable. This also
+      applies to tmp files for iptables commands.
     - Switch to use the 'pkill' command by default instead of the 'killall'
       command to stop processes.
     - Switch to use the 'ss' command by default instead of 'netstat' to detect

psad

@@ -591,6 +591,7 @@ my %pkt_NF_init = (
     'is_topera'     => 0,  ### Topera IPv6 scanner detection, requires --log-ip-options
     'is_masscan'    => 0,  ### Masscan detection, requires --log-tcp-options
     'is_mirai'      => 0,  ### Mirai botnet scanning phase detection
+    'reputation_feed_matches' => {}, ### for reputation feed matches
     'is_port_sweep' => 0,
     'chain'         => '',
     'log_prefix'    => '',
@@ -599,6 +600,14 @@ my %pkt_NF_init = (
     'timestamp'     => ''
 );
 
+my %nmap_flags_to_opts = (
+    'SYN'             => '-sT or -sS',
+    'FIN'             => '-sF',
+    'NULL'            => '-sN',
+    'URG PSH FIN'     => '-sX',
+    'URG PSH SYN FIN' => '-O',
+);
+
 my %gnuplot_non_digit_packet_fields = (
     ### 'hashentry' - maps the field to an integer based on whether
     ###               it has been seen before
@@ -1121,6 +1130,8 @@ sub check_scan() {
                 if $config{'ALERT_ALL'} eq 'N';
         }
 
+        print STDERR "    current DL: $scan_dl{$pkt{'src'}}\n" if $debug;
+
         ### see if we need to assign a danger level according to the auto_dl
         ### file. The return value is the auto-assigned danger level (or
         ### -1 if there is no auto-assigned danger level.
@@ -4269,6 +4280,7 @@ sub reputation_feed_parse_conf_var() {
     return {
         'raw_str'         => $reputation_var_str,
         'feed_name'       => $feed_name,
+        'danger_level'    => $danger_level,
         'data_type'       => $data_type,
         'data_format'     => $data_format,
         'update_interval' => $update_interval,
@@ -5420,6 +5432,7 @@ sub reputation_feeds_check() {
             &sys_log("reputation feed: '$feed->{'feed_name'}' " .
                 "assigned DL: $feed_dl for IP: $src");
             $scan_dl{$src} = $feed_dl;
+            $pkt_hr->{'reputation_feed_matches'}{$feed->{'feed_name'}} = '';
             $rv = $feed_dl;
         }
     }
@@ -5997,23 +6010,13 @@ sub scan_logr() {
                 for my $flags (keys %{$curr_scan_hr->{$src}->
                         {$dst}->{'tcp'}->{'flags'}}) {
 
-                    my $nmap_opts = '';
                     $syslog_flags .= "$flags ";
                     my $n_pkts = $curr_scan_hr->{$src}->{$dst}->
                         {'tcp'}->{'flags'}->{$flags};
 
-                    ### FUTURE: replace this with a simple hash lookup
-                    if ($flags eq 'SYN') {
-                        $nmap_opts = '-sT or -sS';
-                    } elsif ($flags eq 'FIN') {
-                        $nmap_opts = '-sF';
-                    } elsif ($flags eq 'URG PSH FIN') {
-                        $nmap_opts = '-sX';
-                    } elsif ($flags eq 'NULL') {
-                        $nmap_opts = '-sN';
-                    } elsif ($flags eq 'URG PSH SYN FIN') {
-                        $nmap_opts = '-O';
-                    }
+                    my $nmap_opts = '';
+                    $nmap_opts    = $nmap_flags_to_opts{$flags}
+                        if defined $nmap_flags_to_opts{$flags};
 
                     if ($curr_scan_hr->{$src}->{$dst}->{'is_port_sweep'}) {
                         $scan_style_str = "Port sweep $flags scan";

signatures

@@ -119,13 +119,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connect
 
 ### scan.rules
 alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; psad_id:100065; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F; reference:arachnids,27; classtype:attempted-recon; sid:621; psad_id:100066; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; reference:arachnids,4; classtype:attempted-recon; sid:623; psad_id:100067; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF; reference:arachnids,198; classtype:attempted-recon; sid:624; psad_id:100068; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU; reference:arachnids,144; classtype:attempted-recon; sid:625; psad_id:100069; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU; reference:arachnids,30; classtype:attempted-recon; sid:1228; psad_id:100070; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; psad_id:100071; psad_dl:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; psad_id:100197; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:621; psad_id:100066; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:623; psad_id:100067; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:624; psad_id:100068; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:625; psad_id:100069; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:1228; psad_id:100070; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; reference:url,nmap.org/book/man-port-scanning-techniques.html; classtype:attempted-recon; sid:630; psad_id:100071; psad_dl:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:url,www.ntsecurity.nu/toolbox/ipeye/; classtype:attempted-recon; sid:622; psad_id:100197; psad_dl:2;)
 
 ### x11.rules