Mike,

Late response is fine, everyone is busy :-)

A way to summarize would be awesome, our firewalls tend to have numerous 
external addresses.
I'll have a look at what I can do with the auto_dl file. My concern would be 
that we could end up missing something by assuming if 1 is scanned they all are 
or excluding an address that gets hit.



----- Original Message -----
From: "Michael Rash" <m...@cipherdyne.org>
To: psad-discuss@lists.sourceforge.net
Sent: Thursday, 12 August, 2010 11:58:04 AM
Subject: Re: [psad-discuss] scans against firewall with multiple external ip 
addresses

On Aug 06, 2010, Rodney McKee wrote:

> Whats the best way to deal with scans against firewalls with multiple 
> external addresses?
> At the moment I'm getting alerts for each external address individually.

(Sorry for the delayed response.)

Do you want to ignore some of the external addresses altogether?  Or
summarize them in some way?  If you want to ignore some of the addresses,
you can do this with the auto_dl file.  Beyond that, I'm not sure I know
of a good way to summarize things - basically psad just interprets what
the iptables policy produces in terms of log data.  You could restrict
logging via the policy as well.

Thanks,

--Mike

> 
> Cheers,
> Rodney
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by 
> 
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev 
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

-- 






























        
        Rodney McKee 

Linux systems administrator     Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmc...@aconex.com www.aconex.com 

        
        This email and any attachments are intended solely for the addressee. 
The contents may be privileged, confidential and/or subject to copyright or 
other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you 
have received this e-mail in error, please let us know by reply e-mail and 
delete or destroy 
this mail and all copies. If you are not the intended recipient of this message 
you must not disseminate, copy or take any action in reliance on it. The sender 
takes no 
responsibility for the effect of this message upon the recipient's computer 
system. 














------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to