Hi Michael!

I am trying to tie some fwsnort-generated rules into psad
so that, after their Netfilter log entry is encountered, an
automatic block is applied.

I've done a lot of troubleshooting, as well as read and
re-read the relevant sections in your "Linux Firewalls" book
(nice work on that, BTW!), but I can't seem to get it to
happen. Perhaps with your assistance I can get it to work
(or it can be tossed on a bug list). Thanks in advance!

To begin with, I let fwsnort inject this SID237-based test
rule into my iptables policy:

-A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string
--string "l44adsl" --algo bm -m comment --comment "sid:237;
msg:DDOS Trin00 Master to Daemon default password attempt;
classtype:attempted-dos; reference:arachnids,197; rev:2;
FWS:1.6.3;" -j LOG --log-ip-options --log-prefix "[10] SID237 "

I then, remotely, exercise the rule and the appropriate
log entry is created (most notably we see the "[9] SID237"
log-prefix):

[root@firewall ~]# grep SID237 /var/log/messages
Jun  6 11:11:11 firewall kernel: [80224.827665] [9] SID237 IN=eth1 OUT=
MAC=00:40:e8:c4:4a:f2:00:0b:b7:ef:4a:60:08:00 SRC=123.222.111.222
DST=111.222.33.44 LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP
SPT=45320 DPT=27444 LEN=16 

Further, because I have:

SNORT_SID_STR               SID;

defined in psad.conf, psad also generates its own entries:

Jun  6 11:11:43 fw1 psad: src: 124.213.66.97 signature match: "DDOS Trin00
Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort
chain: FWSNORT_INPUT rule: 9
Jun  6 11:11:43 fw1 psad: scan detected: 124.213.66.97 -> 61.111.111.16 udp:
[27444] udp pkts: 2 DL: 2

That all seems fine. However, even with psad.conf configured as so:

ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       4;
AUTO_BLOCK_TIMEOUT          86400;
ENABLE_AUTO_IDS_REGEX       Y;
AUTO_BLOCK_REGEX            SID;  ### from fwsnort logging prefixes

I cannot get psad to initiate any banning action (unless I explicitly
add an entry to snort_rule_dl (which is not how I wish to handle
management)).

Any thoughts on what might be going on would be greatly appreciated!

Regards,

j

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to