On Nov 21, 2009, Sim?n wrote: > El 21/11/09 16:10, Michael Rash escribió: > > On Nov 16, 2009, Sim?n wrote: > > > > > >> Hi, > >> > > Hello, > > > > > >> I have defined in my psad.conf: > >> ENABLE_AUTO_IDS Y; > >> AUTO_IDS_DANGER_LEVEL 3; > >> > > That looks good. > > > > > >> I have received this mail from psad daemon: > >> > >> =-=-=-=-=-=-=-=-=-=-=-= Mon Nov 16 16:43:37 2009 =-=-=-=-=-=-=-=-=-=-=-= > >> > >> Danger level: [3] (out of 5) > >> > >> Scanned UDP ports: [7413: 1 packets, Nmap: -sU] > >> iptables chain: INPUT (prefix "Inbound"), 1 packets > >> > >> Source: 81.201.48.209 > >> DNS: lbcfree.nfx.cz > >> > >> Destination: xx.xxx.xxx.xxx > >> DNS: xxx.xxx.xxx > >> > >> Overall scan start: Tue Nov 10 20:46:32 2009 > >> Total email alerts: 2 > >> Complete UDP range: [6501-18885] > >> > >> .................... > >> > >> =-=-=-=-=-=-=-=-=-=-=-= Mon Nov 16 16:43:37 2009 =-=-=-=-=-=-=-=-=-=-=-= > >> > >> But psad doesn't block this IP: > >> > >> $ psad --status-ip 81.201.48.209 > >> ......... > >> iptables auto-blocking status for: 81.201.48.209: > >> [NONE] > >> ......... > >> > >> Why psad didn't block this IP? > >> > > Is ENABLE_AUTO_IDS_REGEX enabled in psad.conf? > > > ENABLE_AUTO_IDS_REGEX Y; > ENABLE_AUTO_IDS_EMAILS Y; > > Also, does psad block any IP addresses? Or does it seem to single the > > one you have above out to ignore? > > > psad doesn't block any IP with DL >= 3.
Ok, that is consistent. The ENABLE_AUTO_IDS_REGEX variable means that psad will only block IP addresses when the associated iptables log messages contain a particular log prefix (matched by the regular expression defined by the AUTO_BLOCK_REGEX variable). This functionality is mostly useful when you are combining psad with fwsnort - the default regex is "ESTAB", which is something that fwsnort uses in the logging prefixes for rules that it adds to iptables. This allows psad to react to attacks when they are delivered over truly established TCP connections based on application layer pattern matching (done by fwsnort) vs. scans which may be spoofed. If you want psad to block IP addresses based only on the danger level calculation, then just set ENABLE_AUTO_IDS_REGEX to N. Thanks, --Mike > Regards. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
