Mike, Late response is fine, everyone is busy :-)
A way to summarize would be awesome, our firewalls tend to have numerous external addresses. I'll have a look at what I can do with the auto_dl file. My concern would be that we could end up missing something by assuming if 1 is scanned they all are or excluding an address that gets hit. ----- Original Message ----- From: "Michael Rash" <m...@cipherdyne.org> To: psad-discuss@lists.sourceforge.net Sent: Thursday, 12 August, 2010 11:58:04 AM Subject: Re: [psad-discuss] scans against firewall with multiple external ip addresses On Aug 06, 2010, Rodney McKee wrote: > Whats the best way to deal with scans against firewalls with multiple > external addresses? > At the moment I'm getting alerts for each external address individually. (Sorry for the delayed response.) Do you want to ignore some of the external addresses altogether? Or summarize them in some way? If you want to ignore some of the addresses, you can do this with the auto_dl file. Beyond that, I'm not sure I know of a good way to summarize things - basically psad just interprets what the iptables policy produces in terms of log data. You could restrict logging via the policy as well. Thanks, --Mike > > Cheers, > Rodney > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss -- Rodney McKee Linux systems administrator Aconex The easy way to save time and money on your project 696 Bourke Street, Melbourne Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 Email: rmc...@aconex.com www.aconex.com This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no responsibility for the effect of this message upon the recipient's computer system. ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
