Hello people,

I've been tinkering with psad for a little while now and I've been
working it into a small firewall script that's going to be running on
virtual servers. These are going to be running debian etch/lenny and
will have different kernel versions and other things I had to take into
consideration. I'm running these machines on my workstation using
Virtualbox and they're using the closest kernel to those used on the
live environment.

Now I've ran into trouble with my debian etch test environment, namely
it won't show the scans with the Status command.
I get the following output(Some info stripped):

[+] psad (pid: 5341)  %CPU: 0.0  %MEM: 7.9
    Running since: Mon Mar 15 12:25:40 2010
    Command line arguments: -c /etc/psad/psad.conf
    Alert email address(es): r...@localhost

    [No scans detected]

    Netfilter prefix counters:
        [NONE]

    Total scan sources: 0
    Total scan destinations: 0

    Total packet counters:
        tcp:  3915
        udp:  192
        icmp: 0

If I go to /var/log/psad/ and tail the packet counter I'll get the
following output:

debianetch:~# tail /var/log/psad/192.168.1.125/192.168.1.130_packet_ctr 
INPUT_eth0_tcp:  1960 [1-65389]

Now this disparity between the packet counts is boggling my mind. I
thought it could be due to my virtual test environment, but this doesn't
happen with debian lenny. I further tested this and it'd lead to the
autoblock activating at the default 15.000packets while it was reporting
only ~12.000 packets.

Some extra information:
Debian Etch machine:
Linux debianetch 2.6.18-6-686 #1 SMP Tue Mar 23 11:40:03 UTC 2010 i686
GNU/Linux
[+] psad v1.4.8, by Michael Rash <m...@cipherdyne.org>

Debian Lenny machine:
Linux debianlenny 2.6.26-2-686 #1 SMP Sat Dec 26 09:01:51 UTC 2009 i686
GNU/Linux
[+] psad v2.1.3 (file revision: 2181)

I've installed psad using apt-get using the latest stable builds.

I'm hoping someone can give me some pointers on where I could look for
this.
                                          
_________________________________________________________________
Hotmail: betrouwbare e-mail met krachtige spambescherming.
https://signup.live.com/signup.aspx?id=60969
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to