Hi everybody,
I have Fail2ban now nicely running, and most false positives filtered out.
I'm left with alerts that I can't recognize, leading me to wishing I had
some sort of reference site that helps me understand the alerts.
A random example:
[**] [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP
RESPONSE [**]
[Classification: Unknown Traffic] [Priority: 3]
04/26-12:29:27.127017 192.168.178.100:9090 -> 192.168.178.28:34404
TCP TTL:64 TOS:0x0 ID:50257 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0x3540481C Ack: 0x2B4A6748 Win: 0x110 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2860797350 734062
To be more specific: where can I find more information about the two first
lines of an alert? I would appreciate to find (a link to) that info on the
Fail2Ban Wiki website.
The next line is clear to me, and I suppose the other ones are useful
information to pinpoint the crime.
Some of my questions:
* What does [**] . [**] mean?
* Is there an annotated overall list of classifications available?
* What does each level of priority mean?
* For each alert: what can go wrong / is it some sort of a known hack?
Again, I don't ask now what this specific alert means but where I can find
reliable information.
Thanks!
Paul
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
