Your message dated Thu, 24 Feb 2005 12:20:04 -0800 (PST)
with message-id <[EMAIL PROTECTED]>
and subject line [Fwd: Re: Old bug in debian still open]
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Aug 2004 23:12:32 +0000
>From [EMAIL PROTECTED] Fri Aug 13 16:12:32 2004
Return-path: <[EMAIL PROTECTED]>
Received: from netblock-66-159-231-38.dslextreme.com (mail.cavein.org)
[66.159.231.38]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BvlDs-0003k4-00; Fri, 13 Aug 2004 16:12:32 -0700
Received: from bandit-hall.dyn.webahead.ibm.com (bandit-hall.cavein.org
[192.168.1.10])
(authenticated bits=128)
by mail.cavein.org (8.13.1/8.13.1/Debian-7) with ESMTP id i7DN6EHt023314
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[EMAIL PROTECTED]>; Fri, 13 Aug 2004 23:06:14 GMT
Received: from bandit-hall.dyn.webahead.ibm.com (IDENT:[EMAIL PROTECTED]
[127.0.0.1])
(authenticated bits=128)
by bandit-hall.dyn.webahead.ibm.com (8.13.1/8.13.1/Debian-7) with ESMTP
id i7DMN83Y019677;
Fri, 13 Aug 2004 15:23:08 -0700
Received: (from [EMAIL PROTECTED])
by bandit-hall.dyn.webahead.ibm.com (8.13.1/8.13.1/Debian-7) id
i7DMN8RA019676;
Fri, 13 Aug 2004 15:23:08 -0700
Message-Id: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Richard A Nelson <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: psad: ip and/or network in auto_dl being ignored
X-Mailer: reportbug 2.64
Date: Fri, 13 Aug 2004 15:23:07 -0700
X-Scanned-By: MIMEDefang 2.44
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: psad
Version: 1.3.2-3
Severity: important
Every once in a while, my laptop starts blocking my lan router - which
makes it rather difficult to get any work done :)
Sample erroneous report:
------------------------------------------------------------------------------
** psad: Suspicious traffic detected against 192.168.1.255
Danger level: [1] (out of 5)
Scanned udp ports: [123: 1 packets, Nmap: -sU]
Iptables chain: INPUT (prefix "Drop"), 1 packets
Source: 192.168.1.2
DNS: ultima-thule.cavein.org
Destination: 192.168.1.255
DNS: [No reverse dns info available]
Syslog hostname: bandit-hall
Current interval: Fri Aug 13 14:09:11 2004 (start)
Fri Aug 13 14:09:16 2004 (end)
Overall scan start: Fri Aug 13 14:05:58 2004
Total email alerts: 2
Complete udp range: [123-513]
chain: interface: tcp: udp: icmp:
INPUT eth0 0 6 0
------------------------------------------------------------------------------
Portion of /etc/psad/psad.conf:
HOME_NET 192.168.0.0/24, 192.168.1.0/24, 10.0.1.0/24;
The laptop is sometimes on 192.168.0.<x>, sometimes on 192.168.1.<x>,
and sometimes (at work, hotel, etc) on neither... 10.0.1.x is a VPN to
the home router.
Portion of /etc/psad/auto_dl:
127.0.0.0/8 0;
10.0.0.0/8 0;
192.168.0.0/24 0;
192.168.1.0/24 0;
# ip addr show eth0
3: eth0: <BROADCAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc htb qlen 1000
link/ether 00:09:6b:30:46:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
inet 9.65.233.73/32 scope global eth0
inet6 fe80::209:6bff:fe30:460e/64 scope link
valid_lft forever preferred_lft forever
# ip route [minimized]
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
10.0.1.0/24 dev tap0 proto kernel scope link src 10.0.1.10
192.168.0.0/24 via 10.0.1.2 dev tap0 metric 2
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10
syslog from latest start of psad:
Aug 13 14:13:13 bandit-hall psad: .. starting psad
Aug 13 14:13:13 bandit-hall psad: .. imported psad-1.3 signatures
Aug 13 14:13:13 bandit-hall psad: .. imported valid icmp types and codes
Aug 13 14:13:13 bandit-hall psad: .. imported passive OS fingerprinting
signatures
Aug 13 14:13:13 bandit-hall psad: .. imported psad_auto_dl, got 10 IPs
and 6 networks
Aug 13 14:13:13 bandit-hall psad: .. imported snort-2.1 signatures
Aug 13 14:13:13 bandit-hall psad: .. config warning; HOME_NET definition
in psad.conf contains 192.168.0.0/24 which does not appear to be
directly connected to the local system.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-rc3-mm1
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages psad depends on:
ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.
ii iptables 1.2.11-2 Linux kernel 2.4+ iptables adminis
ii libbit-vector-perl 6.3-3 Perl and C library for bit vectors
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libdate-calc-perl 5.3-5 Perl library for accessing dates
ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API
ii libunix-syslog-perl 0.100-2 Perl interface to the UNIX syslog(
ii perl 5.8.4-2 Larry Wall's Practical Extraction
ii sysklogd [syslogd] 1.4.1-15 System Logging Daemon
ii whois 4.6.20u The GNU whois client
-- debconf-show failed
---------------------------------------
Received: (at 265610-done) by bugs.debian.org; 24 Feb 2005 20:20:09 +0000
>From [EMAIL PROTECTED] Thu Feb 24 12:20:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from netblock-66-159-231-38.dslextreme.com (mail.cavein.org)
[66.159.231.38]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D4PSy-0000pb-00; Thu, 24 Feb 2005 12:20:08 -0800
Received: from localhost (IDENT:[EMAIL PROTECTED] [127.0.0.1])
(authenticated bits=0)
by mail.cavein.org (8.13.4.Alpha0/8.13.4.Alpha0/Debian-0) with ESMTP id
j1OKK47v015175
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
Thu, 24 Feb 2005 20:20:07 GMT
Date: Thu, 24 Feb 2005 12:20:04 -0800 (PST)
From: Richard A Nelson <[EMAIL PROTECTED]>
To: Daniel Gubser <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: [Fwd: Re: Old bug in debian still open]
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.51 on 192.168.1.2
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Thu, 24 Feb 2005, Daniel Gubser wrote:
> Hello Richard
Hello,
> Can you please give a try for a upgrade?
I am indeed unable to reproduce this under 1.4.0-1 - thanks!
The UDP connection tracking part makes sense... I didn't realize
that the PSAD workaround was only for IP state; and I've never
seen the issue wrt IP packets, only UDP - and only on NS requests
so I'll just chalk that upto Linux and peruse my kernel settings.
Thanks for the followup, I'm happy to be back on current releases :)
--
Rick Nelson
Are Linux users lemmings collectively jumping off of the cliff of
reliable, well-engineered commercial software?
-- Matt Welsh
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
