Hi Michael! I am trying to tie some fwsnort-generated rules into psad so that, after their Netfilter log entry is encountered, an automatic block is applied.
I've done a lot of troubleshooting, as well as read and re-read the relevant sections in your "Linux Firewalls" book (nice work on that, BTW!), but I can't seem to get it to happen. Perhaps with your assistance I can get it to work (or it can be tossed on a bug list). Thanks in advance! To begin with, I let fwsnort inject this SID237-based test rule into my iptables policy: -A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string --string "l44adsl" --algo bm -m comment --comment "sid:237; msg:DDOS Trin00 Master to Daemon default password attempt; classtype:attempted-dos; reference:arachnids,197; rev:2; FWS:1.6.3;" -j LOG --log-ip-options --log-prefix "[10] SID237 " I then, remotely, exercise the rule and the appropriate log entry is created (most notably we see the "[9] SID237" log-prefix): [root@firewall ~]# grep SID237 /var/log/messages Jun 6 11:11:11 firewall kernel: [80224.827665] [9] SID237 IN=eth1 OUT= MAC=00:40:e8:c4:4a:f2:00:0b:b7:ef:4a:60:08:00 SRC=123.222.111.222 DST=111.222.33.44 LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP SPT=45320 DPT=27444 LEN=16 Further, because I have: SNORT_SID_STR SID; defined in psad.conf, psad also generates its own entries: Jun 6 11:11:43 fw1 psad: src: 124.213.66.97 signature match: "DDOS Trin00 Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort chain: FWSNORT_INPUT rule: 9 Jun 6 11:11:43 fw1 psad: scan detected: 124.213.66.97 -> 61.111.111.16 udp: [27444] udp pkts: 2 DL: 2 That all seems fine. However, even with psad.conf configured as so: ENABLE_AUTO_IDS Y; AUTO_IDS_DANGER_LEVEL 4; AUTO_BLOCK_TIMEOUT 86400; ENABLE_AUTO_IDS_REGEX Y; AUTO_BLOCK_REGEX SID; ### from fwsnort logging prefixes I cannot get psad to initiate any banning action (unless I explicitly add an entry to snort_rule_dl (which is not how I wish to handle management)). Any thoughts on what might be going on would be greatly appreciated! Regards, j ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
