On Mar 24, 2010, marco arts wrote:

> 
> Hello people,
> 
> I've been tinkering with psad for a little while now and I've been
> working it into a small firewall script that's going to be running on
> virtual servers. These are going to be running debian etch/lenny and
> will have different kernel versions and other things I had to take into
> consideration. I'm running these machines on my workstation using
> Virtualbox and they're using the closest kernel to those used on the
> live environment.
> 
> Now I've ran into trouble with my debian etch test environment, namely
> it won't show the scans with the Status command.
> I get the following output(Some info stripped):
> 
> [+] psad (pid: 5341)  %CPU: 0.0  %MEM: 7.9
>     Running since: Mon Mar 15 12:25:40 2010
>     Command line arguments: -c /etc/psad/psad.conf
>     Alert email address(es): r...@localhost
> 
>     [No scans detected]
> 
>     Netfilter prefix counters:
>         [NONE]
> 
>     Total scan sources: 0
>     Total scan destinations: 0
> 
>     Total packet counters:
>         tcp:  3915
>         udp:  192
>         icmp: 0
> 
> If I go to /var/log/psad/ and tail the packet counter I'll get the
> following output:
> 
> debianetch:~# tail /var/log/psad/192.168.1.125/192.168.1.130_packet_ctr 
> INPUT_eth0_tcp:  1960 [1-65389]
> 
> Now this disparity between the packet counts is boggling my mind. I
> thought it could be due to my virtual test environment, but this doesn't
> happen with debian lenny. I further tested this and it'd lead to the
> autoblock activating at the default 15.000packets while it was reporting
> only ~12.000 packets.
> 
> Some extra information:
> Debian Etch machine:
> Linux debianetch 2.6.18-6-686 #1 SMP Tue Mar 23 11:40:03 UTC 2010 i686
> GNU/Linux
> [+] psad v1.4.8, by Michael Rash <m...@cipherdyne.org>

I agree with Franck that the 1.4.8 release is very old, and it is interesting
that it doesn't happen on the debian lenny system with the 2.1.3 release.

One thing to note is that the "Total packet counters" output shows all of the
packet that psad has analyzed from the iptables log.  It is entirely possible
that the results of this analysis do not indicate any malicious activity, and
therefore psad does not report any scans (or other things).  Also, do you
have psad configured to import scan data from one execution to the next?
If so, then the data in the /var/log/psad/192.168.1.125/ directory might be
from a previous execution and imported by the currently running instance.

Either way, a lot of work has been done on the tracking code after 1.4.8,
so I would recommend trying a newer release (provided by Franck for Debian
systems).

Thanks,

--Mike


> Debian Lenny machine:
> Linux debianlenny 2.6.26-2-686 #1 SMP Sat Dec 26 09:01:51 UTC 2009 i686
> GNU/Linux
> [+] psad v2.1.3 (file revision: 2181)
> 
> I've installed psad using apt-get using the latest stable builds.
> 
> I'm hoping someone can give me some pointers on where I could look for
> this.
>                                         
> _________________________________________________________________
> Hotmail: betrouwbare e-mail met krachtige spambescherming.
> https://signup.live.com/signup.aspx?id=60969

> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev

> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to