Package: psad Version: 2.1.3-1.1 Hello,
I have configured psad to block all traffic from IPs using iptables (i.e. ENABLE_AUTO_IDS set to Y), when a danger level reaches a value of 1 or higher (AUTO_IDS_DANGER_LEVEL set to 1). This means that when 5 packets are logged by iptables from some IP, the IP is blocked - even if only 1 port is scanned (PORT_RANGE_SCAN_THRESHHOLD set to 0). This means I changed the three following variables in the default configuration file /etc/psad/psad.conf. ENABLE_AUTO_IDS Y; AUTO_IDS_DANGER_LEVEL 1; PORT_RANGE_SCAN_THRESHOLD 0; After that, I set my firewall rules in a better way. I accepted all packets I wanted and dropped all usual traffic that occured on my network before logging it. I didn't want to block machines with usual (even if useless for my machine) traffic. I wanted to log and potentially block only unusual traffic. After logging, I dropped everything. However, even if my machine logged and blocked ICMP packets of type 3 and code 3 (port unreachable) as I can see in /var/log/messages, psad logs show something different. They show that UDP packets were observed instead of the ICMP ones!!! I suppose the reason is that the ICMP packets contain also the beginning of the UDP packets!!! Let's look on the following scenario that I observed on my machine: /var/log/messages contain following lines (6, they are similar): ... Sep 8 18:04:26 baxic kernel: [28241.572876] IN_DROP IN=wlan0 OUT= MAC=00:1a:9f:91:df:ae:00:21:27:e8:0a:a0:08:00 SRC=10.0.0.138 DST=192.168.1.103 LEN=96 TOS=0x00 PREC=0xC0 TTL=254 ID=63642 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.103 DST=10.0.0.138 LEN=68 TOS=0x00 PREC=0x00 TTL=0 ID=22458 PROTO=UDP SPT=35080 DPT=33434 LEN=48 ] ... After psad found out a new scan occured, it blocked the machine 10.0.0.138 (router), but it's statistics show that UDP traffic was blocked instead of the ICMP one. Let's look at the file /var/log/psad/10.0.0.138/192.168.1.103_packet_ctr for instance: > cd /var/log/psad/10.0.0.138 > cat 192.168.1.103_packet_ctr INPUT_wlan0_udp: 6 [33434-33439] All other psad files that contain protocol statistics show the same problem. This means that psad identified the IPs correctly and blocked 10.0.0.138, but the protocol info was found out incorrectly by psad, most probably because the ICMP packet itself (and it's log too) contained also the UDP headers. Regards, Lukas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
