On Nov 26, 2012, Naji Mouawad wrote: > I've got PSAD installed and in the last 24 hours it has produced 1,000+ > emails. I can't keep up with so many alerts and need to sanitize this > somehow. > > 1. Considering to raise EMAIL ALERT DANGER LEVEL to 3. Any serious cons? > 2. Considering setting noemail to prevent PSAD from sending an email. Is > there a way to run some cron job on the hour to produce a digest for PSAD? > > These may be the wrong way to go about this. Any suggestions appreciated.
While you can set EMAIL_ALERT_DANGER_LEVEL to 3 or higher, I would recommend first that you audit the iptables policy itself. It should be configured to only log packets that should not be accepted as a part of normal operations. For example, it is possible to configure iptables to log packets that are part of established TCP connections, but this is probably not what you want (except in more advanced configurations where string matching for malicious application layer data is involved). So, basically it is recommend to: - Have a state tracking rule towards the top of each built-in chain in the filter table - here is an example for the INPUT chain: # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - Then have your ACCEPT rules for allowed incoming connections to services that you run in the INPUT chain and ACCEPT rules for outbound connections that you want to initiate from the local system in the OUTPUT chain. If your Linux system is functioning as a gateway device, then you'll need to configure NAT along with filtering rules in the FORWARD chain. - LOG and DROP everything else. There is a firewall setup script available at the following link that does the steps described above (you'll need to customize the services that you want to allow if you use it): http://www.cipherdyne.org/LinuxFirewalls/ch01/iptables.sh.tar.gz With iptables configured in this way, the log data burden should be more reasonable I'm guessing. Thanks, --Mike > Thanks! > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss