On Oct 15, 2012, Pui Edylie wrote: > Dear Members,
Hello, > I have started using psad with fwsnort and it is awesome! > > I have received alerts but they are not clear to me as it did not > include the msg: field for the description > > Right now I have to manually open up fwsnort.save to search for > SID2013222 to figure out what it is. > > Is there anyway we could include the info? By default, psad parses Snort rules for the msg: field out of the /etc/psad/snort_rules/ directory. I suspect that the signature SID2013222 is not contained within this directory - e.g. there is a difference between the signatures running under fwsnort vs. those that psad knows about. I should probably update psad to also parse signatures out of /etc/fwsnort/snort_rules/, but in the meantime you could add the signature to a file in the /etc/psad/snort_rules/ directory. Thanks, --Mike > Thank you! > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > Danger level: [1] (out of 5) > > Scanned TCP ports: [55016: 3 packets] > TCP flags: [ACK: 3 packets] > iptables chain: FWSNORT_FORWARD_ESTAB (*prefix "[929] SID2013222 > ESTAB"*), 3 packets > fwsnort rule: 929 > > Source: xxxxx > DNS: xxxxxx > > Destination: xxxxx > DNS: [No reverse dns info available] > > Overall scan start: Mon Oct 15 20:16:16 2012 > Total email alerts: 7 > Complete TCP range: [24722-55016] > Syslog hostname: bgp2 > > Global stats: chain: interface: TCP: UDP: ICMP: > FORWARD bond2 4 0 0 > > [+] Whois Information (source IP): > Unknown AS number or IP network. Please upgrade this program. > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
