I am trying to tie some fwsnort-generated rules into psad
so that, after their Netfilter log entry is encountered, an
automatic block is applied.
I've done a lot of troubleshooting, as well as read and
re-read the relevant sections in your "Linux Firewalls" book
(nice work on that, BTW!), but I can't seem to get it to
happen. Perhaps with your assistance I can get it to work
(or it can be tossed on a bug list). Thanks in advance!
To begin with, I let fwsnort inject this SID237-based test
rule into my iptables policy:
-A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string
--string "l44adsl" --algo bm -m comment --comment "sid:237;
msg:DDOS Trin00 Master to Daemon default password attempt;
classtype:attempted-dos; reference:arachnids,197; rev:2;
FWS:1.6.3;" -j LOG --log-ip-options --log-prefix " SID237 "
I then, remotely, exercise the rule and the appropriate
log entry is created (most notably we see the " SID237"
[root@firewall ~]# grep SID237 /var/log/messages
Jun 6 11:11:11 firewall kernel: [80224.827665]  SID237 IN=eth1 OUT=
DST=220.127.116.11 LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP
SPT=45320 DPT=27444 LEN=16
Further, because I have:
defined in psad.conf, psad also generates its own entries:
Jun 6 11:11:43 fw1 psad: src: 18.104.22.168 signature match: "DDOS Trin00
Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort
chain: FWSNORT_INPUT rule: 9
Jun 6 11:11:43 fw1 psad: scan detected: 22.214.171.124 -> 126.96.36.199 udp:
 udp pkts: 2 DL: 2
That all seems fine. However, even with psad.conf configured as so:
AUTO_BLOCK_REGEX SID; ### from fwsnort logging prefixes
I cannot get psad to initiate any banning action (unless I explicitly
add an entry to snort_rule_dl (which is not how I wish to handle
Any thoughts on what might be going on would be greatly appreciated!
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
psad-discuss mailing list