** Description changed: + psad detects the default url of fwsnort rules and blocks the ip - psad detects the default url of fwsnort rules and blocks the ip + + when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files sudo psad --sig-update + sudo fwsnort --update-rules - Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. + I receive mail alert in mutt added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) - Scanned TCP ports: [48356: 1 packets] - TCP flags: [ACK: 1 packets] - iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets - fwsnort rule: 498 + Scanned TCP ports: [48356: 1 packets] + TCP flags: [ACK: 1 packets] + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets + fwsnort rule: 498 - Source: 18.214.66.196 - DNS: ec2-18-214-66-196.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + Source: 18.214.66.196 + DNS: ec2-18-214-66-196.compute-1.amazonaws.com + MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: - "PORN free XXX" - dst port: 48356 (no server bound to local port) - flags: ACK - content: "FREE XXX" - sid: 1310 - chain: FWSNORT_INPUT_ESTAB - packets: 1 - classtype: kickass-porn + "PORN free XXX" + dst port: 48356 (no server bound to local port) + flags: ACK + content: "FREE XXX" + sid: 1310 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn ----------------------------------------------------------------- Danger level: [2] (out of 5) - Scanned TCP ports: [54500: 2 packets] - TCP flags: [ACK: 2 packets] - iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets - fwsnort rule: 514 - iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets - fwsnort rule: 93 + Scanned TCP ports: [54500: 2 packets] + TCP flags: [ACK: 2 packets] + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets + fwsnort rule: 514 + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets + fwsnort rule: 93 - Source: 23.21.164.163 - DNS: ec2-23-21-164-163.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + Source: 23.21.164.163 + DNS: ec2-23-21-164-163.compute-1.amazonaws.com + MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: - "PORN ejaculation" - dst port: 54500 (no server bound to local port) - flags: ACK - content: "ejaculat" - sid: 1795 - chain: FWSNORT_INPUT_ESTAB - packets: 1 - classtype: kickass-porn + "PORN ejaculation" + dst port: 54500 (no server bound to local port) + flags: ACK + content: "ejaculat" + sid: 1795 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn - "COMMUNITY INAPPROPRIATE lolita sex" - dst port: 54500 (no server bound to local port) - flags: ACK - content: "lolita" - content: "sex" - sid: 100000105 - chain: FWSNORT_INPUT_ESTAB - packets: 1 - classtype: kickass-porn + "COMMUNITY INAPPROPRIATE lolita sex" + dst port: 54500 (no server bound to local port) + flags: ACK + content: "lolita" + content: "sex" + sid: 100000105 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn -------------------------------------------------------------------- - /etc/psad/psad.conf + /etc/psad/psad.conf #### AOL AIM server nets - AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, + AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; - /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, - 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; + 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ------------------------------------------------------------------- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: - Instalados: 1.6.7-3 - Candidato: 1.6.7-3 - Tabla de versión: - *** 1.6.7-3 500 - 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages - 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages - 100 /var/lib/dpkg/status + Instalados: 1.6.7-3 + Candidato: 1.6.7-3 + Tabla de versión: + *** 1.6.7-3 500 + 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages + 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages + 100 /var/lib/dpkg/status apt-cache policy psad psad: - Instalados: 2.4.3-1.2 - Candidato: 2.4.3-1.2 - Tabla de versión: - *** 2.4.3-1.2 500 - 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages - 100 /var/lib/dpkg/status + Instalados: 2.4.3-1.2 + Candidato: 2.4.3-1.2 + Tabla de versión: + *** 2.4.3-1.2 500 + 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages + 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) + + edit:psad corregido sin cambiar configuracion solo queda el error de fwsnort + sudo psad --sig-update + [sudo] contraseña para usernet: + [+] Archiving original /etc/psad/signatures -> signatures.old1 + [+] Downloading latest signatures from: + http://www.cipherdyne.org/psad/signatures + --2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures + Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192 + Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80... conectado. + Petición HTTP enviada, esperando respuesta... 200 OK + Longitud: 45267 (44K) + Guardando como: “signatures” + + signatures + 100%[=================================================>] 44,21K + 105KB/s en 0,4s + + 2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267] + + [+] New signature file /etc/psad/signatures has been put in + place. You can restart psad (or use 'psad -H') to import the + new sigs.
** Description changed: psad detects the default url of fwsnort rules and blocks the ip - - when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files + when executing the following commands the ip addresses do not correspond + to the servers configured in the fwsnort and psad files sudo psad --sig-update - sudo fwsnort --update-rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. I receive mail alert in mutt added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) Scanned TCP ports: [48356: 1 packets] TCP flags: [ACK: 1 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets fwsnort rule: 498 Source: 18.214.66.196 DNS: ec2-18-214-66-196.compute-1.amazonaws.com MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: "PORN free XXX" dst port: 48356 (no server bound to local port) flags: ACK content: "FREE XXX" sid: 1310 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn ----------------------------------------------------------------- Danger level: [2] (out of 5) Scanned TCP ports: [54500: 2 packets] TCP flags: [ACK: 2 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets fwsnort rule: 514 iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets fwsnort rule: 93 Source: 23.21.164.163 DNS: ec2-23-21-164-163.compute-1.amazonaws.com MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: "PORN ejaculation" dst port: 54500 (no server bound to local port) flags: ACK content: "ejaculat" sid: 1795 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn "COMMUNITY INAPPROPRIATE lolita sex" dst port: 54500 (no server bound to local port) flags: ACK content: "lolita" content: "sex" sid: 100000105 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn -------------------------------------------------------------------- /etc/psad/psad.conf #### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ------------------------------------------------------------------- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: Instalados: 1.6.7-3 Candidato: 1.6.7-3 Tabla de versión: *** 1.6.7-3 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy psad psad: Instalados: 2.4.3-1.2 Candidato: 2.4.3-1.2 Tabla de versión: *** 2.4.3-1.2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) - edit:psad corregido sin cambiar configuracion solo queda el error de fwsnort + edit:psad corrected without changing configuration only fwsnort error remains sudo psad --sig-update - [sudo] contraseña para usernet: + [sudo] contraseña para usernet: [+] Archiving original /etc/psad/signatures -> signatures.old1 [+] Downloading latest signatures from: - http://www.cipherdyne.org/psad/signatures + http://www.cipherdyne.org/psad/signatures --2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192 Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 45267 (44K) Guardando como: “signatures” signatures 100%[=================================================>] 44,21K 105KB/s en 0,4s 2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267] [+] New signature file /etc/psad/signatures has been put in - place. You can restart psad (or use 'psad -H') to import the - new sigs. + place. You can restart psad (or use 'psad -H') to import the + new sigs. ** Description changed: psad detects the default url of fwsnort rules and blocks the ip when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files sudo psad --sig-update sudo fwsnort --update-rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. I receive mail alert in mutt + + Subject: [psad-status] tcpwrappers AUTO-BLOCK against 18.214.66.196 + + Subject: [psad-status] tcpwrappers AUTO-BLOCK against 23.21.164.163 + added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) Scanned TCP ports: [48356: 1 packets] TCP flags: [ACK: 1 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets fwsnort rule: 498 Source: 18.214.66.196 DNS: ec2-18-214-66-196.compute-1.amazonaws.com MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: "PORN free XXX" dst port: 48356 (no server bound to local port) flags: ACK content: "FREE XXX" sid: 1310 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn ----------------------------------------------------------------- Danger level: [2] (out of 5) Scanned TCP ports: [54500: 2 packets] TCP flags: [ACK: 2 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets fwsnort rule: 514 iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets fwsnort rule: 93 Source: 23.21.164.163 DNS: ec2-23-21-164-163.compute-1.amazonaws.com MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: "PORN ejaculation" dst port: 54500 (no server bound to local port) flags: ACK content: "ejaculat" sid: 1795 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn "COMMUNITY INAPPROPRIATE lolita sex" dst port: 54500 (no server bound to local port) flags: ACK content: "lolita" content: "sex" sid: 100000105 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn -------------------------------------------------------------------- /etc/psad/psad.conf #### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ------------------------------------------------------------------- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: Instalados: 1.6.7-3 Candidato: 1.6.7-3 Tabla de versión: *** 1.6.7-3 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy psad psad: Instalados: 2.4.3-1.2 Candidato: 2.4.3-1.2 Tabla de versión: *** 2.4.3-1.2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) edit:psad corrected without changing configuration only fwsnort error remains sudo psad --sig-update [sudo] contraseña para usernet: [+] Archiving original /etc/psad/signatures -> signatures.old1 [+] Downloading latest signatures from: http://www.cipherdyne.org/psad/signatures --2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192 Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 45267 (44K) Guardando como: “signatures” signatures 100%[=================================================>] 44,21K 105KB/s en 0,4s 2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267] [+] New signature file /etc/psad/signatures has been put in place. You can restart psad (or use 'psad -H') to import the new sigs. ** Description changed: psad detects the default url of fwsnort rules and blocks the ip when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files sudo psad --sig-update sudo fwsnort --update-rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. I receive mail alert in mutt Subject: [psad-status] tcpwrappers AUTO-BLOCK against 18.214.66.196 Subject: [psad-status] tcpwrappers AUTO-BLOCK against 23.21.164.163 - added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) Scanned TCP ports: [48356: 1 packets] TCP flags: [ACK: 1 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets fwsnort rule: 498 Source: 18.214.66.196 DNS: ec2-18-214-66-196.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + MAC: [+] TCP scan signatures: "PORN free XXX" dst port: 48356 (no server bound to local port) flags: ACK content: "FREE XXX" sid: 1310 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn ----------------------------------------------------------------- Danger level: [2] (out of 5) Scanned TCP ports: [54500: 2 packets] TCP flags: [ACK: 2 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets fwsnort rule: 514 iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets fwsnort rule: 93 Source: 23.21.164.163 DNS: ec2-23-21-164-163.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + MAC: [+] TCP scan signatures: "PORN ejaculation" dst port: 54500 (no server bound to local port) flags: ACK content: "ejaculat" sid: 1795 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn "COMMUNITY INAPPROPRIATE lolita sex" dst port: 54500 (no server bound to local port) flags: ACK content: "lolita" content: "sex" sid: 100000105 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn -------------------------------------------------------------------- /etc/psad/psad.conf #### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ------------------------------------------------------------------- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: Instalados: 1.6.7-3 Candidato: 1.6.7-3 Tabla de versión: *** 1.6.7-3 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy psad psad: Instalados: 2.4.3-1.2 Candidato: 2.4.3-1.2 Tabla de versión: *** 2.4.3-1.2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) edit:psad corrected without changing configuration only fwsnort error remains sudo psad --sig-update [sudo] contraseña para usernet: [+] Archiving original /etc/psad/signatures -> signatures.old1 [+] Downloading latest signatures from: http://www.cipherdyne.org/psad/signatures --2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192 Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 45267 (44K) Guardando como: “signatures” signatures 100%[=================================================>] 44,21K 105KB/s en 0,4s 2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267] [+] New signature file /etc/psad/signatures has been put in place. You can restart psad (or use 'psad -H') to import the new sigs. ** Description changed: psad detects the default url of fwsnort rules and blocks the ip when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files sudo psad --sig-update sudo fwsnort --update-rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. I receive mail alert in mutt Subject: [psad-status] tcpwrappers AUTO-BLOCK against 18.214.66.196 Subject: [psad-status] tcpwrappers AUTO-BLOCK against 23.21.164.163 added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) Scanned TCP ports: [48356: 1 packets] TCP flags: [ACK: 1 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets fwsnort rule: 498 Source: 18.214.66.196 DNS: ec2-18-214-66-196.compute-1.amazonaws.com - MAC: + MAC: [+] TCP scan signatures: "PORN free XXX" dst port: 48356 (no server bound to local port) flags: ACK content: "FREE XXX" sid: 1310 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn ----------------------------------------------------------------- Danger level: [2] (out of 5) Scanned TCP ports: [54500: 2 packets] TCP flags: [ACK: 2 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets fwsnort rule: 514 iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105 ESTAB"), 1 packets fwsnort rule: 93 Source: 23.21.164.163 DNS: ec2-23-21-164-163.compute-1.amazonaws.com - MAC: + MAC: [+] TCP scan signatures: "PORN ejaculation" dst port: 54500 (no server bound to local port) flags: ACK content: "ejaculat" sid: 1795 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn "COMMUNITY INAPPROPRIATE lolita sex" dst port: 54500 (no server bound to local port) flags: ACK content: "lolita" content: "sex" sid: 100000105 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn -------------------------------------------------------------------- /etc/psad/psad.conf #### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ------------------------------------------------------------------- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: Instalados: 1.6.7-3 Candidato: 1.6.7-3 Tabla de versión: *** 1.6.7-3 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy psad psad: Instalados: 2.4.3-1.2 Candidato: 2.4.3-1.2 Tabla de versión: *** 2.4.3-1.2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) edit:psad corrected without changing configuration only fwsnort error remains sudo psad --sig-update - [sudo] contraseña para usernet: + [+] Archiving original /etc/psad/signatures -> signatures.old1 [+] Downloading latest signatures from: http://www.cipherdyne.org/psad/signatures --2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192 Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 45267 (44K) Guardando como: “signatures” signatures 100%[=================================================>] 44,21K 105KB/s en 0,4s 2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267] [+] New signature file /etc/psad/signatures has been put in place. You can restart psad (or use 'psad -H') to import the new sigs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917682 Title: rules url error fwsnort To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1917682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs