ASPE configuration

ASPE configuration files are located in /etc/sysconfig. In order to ativate the changes, you have to restart all ASPE modules.

After a policy is violated (virus sent, ARP request for nonexisting computer recieved, …), the following actions are performed (all checks are per-ip based):

1. if there have been more than timeout seconds since last occurence, the counter is reset and if necessary, the computer unblocked1)
2. the counter is increased by one
3. the time is saved
4. all defined actions are checked for their counts and those that have been reached are executed

• ignore: comma separated list of IPs (not hostnames, only IPs) that are to be ignored if they trigger an action. This is valid for all types within a module.

type is a module specific trigger type name. For example in aspe.smtp, it is virus or broken.

label is an almost freely (no whitespace and no “=”) chosen unique identifier to distinguish between actions for one type

For every type, the timeout has to be defined to some reasonable value, mtba is optional. For every label, at least count and method have to be defined, other variables are optional.

• action_type_timeout: reset counters after this many seconds of inactivity. Defaults to one day (86400), but nevertheless you have to set it manually, otherwise there won’t be any actions for that type.
• action_type_mtba: minimum time between actions (ignore occurences in between). Measured in seconds. Defaults to 0 which basically deactivates this feature.
• action_type_label_count: count to trigger action. Don’t set this to 0, it doesn’t make sense and won’t do anything. You can use crontab-like syntax here too (e.g. *, */5, 1-5, 1,3,6)
• action_type_label_msg: message to send on this action (in block, reason for blocking). Defaults to Security policy violation, rule $prog-$class, count=$count, ip=\$ip
• action_type_label_subject: subject for the message (only valid for mail). Defaults to ASPE policy violation notification
• action_type_label_exec: path to execute
• action_type_label_method: mail, mailadmin, winpopup, block, unblock, reclassify exec or intern.
• action_type_label_classonly: only apply to users from these classes (comma separated list). Defaults to any class.
• action_type_label_class: class for reclassify action

• mail: mail to the owner of the computer (address determined from user management). If unavailable, do nothing.
• mailadmin: mail to the admin (root in sysconfig)
• winpopup: notify by winpopup AKA Windows messenger AKA smbclient -M
• block or unblock: (un)block via user management and set the block reason to action_type_label_msg. If unavailable, do nothing.
• reclassify: change class
• sms: send SMS to admin. This is a paid service.
• exec: execute an external program. Use action_type_label_exec to define the path and arguments.

Inside msg, subject and exec, predefined patterns are replaced to allow individualization:

• $ip: IP of the computer violating the policy
• $count: counter for this IP
• $type: trigger type
• $timeout: timeout of this type
• $label: label name for this action
• $action: triggered action
• $first: time of first occurence
• $year, $month, $day, $hour, $minute, $second: current date/time
• $name, $email, $roomnr, $mac: if user management is available and the IP is registered, replace these patterns from the record data
• \n: use this to signalize newline if you want to have multilined messages (as the configuration file doesn’t allow newlines inside of a value)
• \ (at the and of the line): value continues on the next line

Some modules may define their own additional patterns.

Options:

• maxclients: maximum count of parallel connections accepted, defaults to 50
• maxperip: maximum parallel connections per IP, defaults to 3. More than this are rejected as a temporary error.
• maxsize: maximum allowed email size in bytes (0 for no limit), defaults to 5MB
• tproxy: turn on TPROXY. Only works for non-NAT-ed IPs (aspe.smtp.pl is clever enough to not apply TPROXY to those).
• outgoingip: IP for outgoing SMTP connections. Only used for TPROXY and required by TPROXY.
• tls: allow TLS connections. These are encrypted and therefore not checked for virii. Turned off by default.
• checkehlo: check (and enforce) a valid greeting (HELO/EHLO). Both contents and it’s presence is handled. Turned off by default.
• rewriteehlo: rewrite the greeting (HELO/EHLO) with the hostname of the machine aspe.smtp runs on. Turned off by default. Note: can be used independently from checkehlo.

Defined types:

• virus: virus was sent
• broken: connection did not contain a valid email. This happens for example when the server doesn’t like the sender or recipient.
• toomany: tried to open more than maxperip connections
• ehlo: invalid/missing HELO/EHLO

Special methods:

• intern: returns a SMTP-Reject to the client when triggered.

Warning: Please note that there is a window between calling the ASPE::hit and ASPE::checkintern functions. As aspe.smtp works asynchronously and allows multiple parallel connections per ip, this window can overlap for these connections. So you shouldn’t assume that the intern method always sees the increments in steps by one. If you want to make sure that intern hits properly on n^th hit, you should define count as a range between n and n+maxperip. Say you want to trigger intern after the second hit and maxperip is three, define the count as 2-5.

Options

• dev: device to listen on, defaults to eth1
• maxfreq: maximum scan frequency in seconds, defaults to 3600

Defined types

• vulnerable: computer is vulnerable to Sasser & co
• patched: only triggered once, if the computer was previously vulnerable and now is patched. So if you want actions, the only usable count for this type is 1

Options:

• dev: device on which ARP requests are monitored. Defauls to eth1.
• precise: if nonzero, aspe.arpflood won’t regard a repeated request pair (source & destination) as a hit. This requires more memory, but should eliminate most false positives. Defaults to 0.
• um: use user management (in addition to other checks) to determine if the target IP exists.

Defined types:

• arp: the machine is looking for another machine that wasn’t online during the last hour (or even at all)

Note: aspe.arpflood has an additional interpretation of the variable ignore. It is not only valid for IPs triggering hits, but also for IPs being targets of ARP-Requests. Use this if you have “hidden” hosts, for example if a computer has more than one IP.

Warning: aspe.dhcpdwatch hasn’t been tested yet

Options

• dev: device to listen on, defaults to eth1

Defined types:

• dhcp: the computer sent a DHCP OFFER/ACK/NACK

Custom patterns:

• mac: source MAC of the computer

Warning: aspe.dhcpwatch is being redesigned, please don’t use

Options

• dev: device to listen on, defaults to eth1

Defined types:

• ipmismatch: the MAC is used with a different IP than previously
• hnmismatch: the hostname used with the MAC is different than previously

Custom patterns:

• mac: source MAC of the computer

You can use aspe.spm with or without room list. Room list is a file with lines in a format:

switch_ip:portnr=roomnr

for example

192.168.5.1:22=123

The file has to be saved in /mnt/ramdisk/um/portlist.txt.

Options

• freq: frequence of scan, in seconds. Mandatory option, recommended value is between 5 minutes and one hour.
• switches: comma separated list of switches (IP addresses) to scan
• ignore: in this ASPE module, ignore isn’t a list of IPs, but a list of switch ports (same format as in portlist.txt), e.g.

ignore=192.168.5.1:24

Use this to define ports that are connected to other switches (e.g. uplinks), otherwise you’ll have chaos.

Defined types:

• new: MAC isn’t in the database
• wrongroom: MAC is used in a different room number than in the database (with portlist.txt) or a different port than during last scan (without portlist.txt)

Custom patterns:

• dbname: the MAC belongs to this person according to the database
• dbroomnr: the MAC should be in this room according to the database
• switch, port, roomnr: where it is connected now

Options

• freq: frequence of scan, in seconds. Mandatory option, recommended value is between 5 minutes and one hour.

Defined types:

• day: Traffic since midnight
• month: Traffic since the beginning of month
• up: Outgoing traffic
• down: Incoming traffic
• total: A sum of incoming and outgoing traffic

These need to be combined, e.g. day_down.

Custom patterns:

• traffic: the MAC belongs to this person according to the database
• limit: the MAC should be in this room according to the database