On Jun 06, 2013, Jeremiah Rothschild wrote:
> Hi Michael!
> I am trying to tie some fwsnort-generated rules into psad
> so that, after their Netfilter log entry is encountered, an
> automatic block is applied.
> I've done a lot of troubleshooting, as well as read and
> re-read the relevant sections in your "Linux Firewalls" book
> (nice work on that, BTW!), but I can't seem to get it to
> happen. Perhaps with your assistance I can get it to work
> (or it can be tossed on a bug list). Thanks in advance!
> To begin with, I let fwsnort inject this SID237-based test
> rule into my iptables policy:
> -A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string
> --string "l44adsl" --algo bm -m comment --comment "sid:237;
> msg:DDOS Trin00 Master to Daemon default password attempt;
> classtype:attempted-dos; reference:arachnids,197; rev:2;
> FWS:1.6.3;" -j LOG --log-ip-options --log-prefix " SID237 "
> I then, remotely, exercise the rule and the appropriate
> log entry is created (most notably we see the " SID237"
> [root@firewall ~]# grep SID237 /var/log/messages
> Jun 6 11:11:11 firewall kernel: [80224.827665]  SID237 IN=eth1 OUT=
> MAC=00:40:e8:c4:4a:f2:00:0b:b7:ef:4a:60:08:00 SRC=184.108.40.206
> DST=220.127.116.11 LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP
> SPT=45320 DPT=27444 LEN=16
That looks good - the iptables policy is working and string matching is
happening based on the translated snort rule.
> Further, because I have:
> SNORT_SID_STR SID;
> defined in psad.conf, psad also generates its own entries:
> Jun 6 11:11:43 fw1 psad: src: 18.104.22.168 signature match: "DDOS Trin00
> Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort
> chain: FWSNORT_INPUT rule: 9
This looks good too since psad detects the snort rule match in the
iptables log message.
> Jun 6 11:11:43 fw1 psad: scan detected: 22.214.171.124 -> 126.96.36.199 udp:
>  udp pkts: 2 DL: 2
> That all seems fine. However, even with psad.conf configured as so:
> ENABLE_AUTO_IDS Y;
> AUTO_IDS_DANGER_LEVEL 4;
> AUTO_BLOCK_TIMEOUT 86400;
> ENABLE_AUTO_IDS_REGEX Y;
> AUTO_BLOCK_REGEX SID; ### from fwsnort logging prefixes
> I cannot get psad to initiate any banning action (unless I explicitly
> add an entry to snort_rule_dl (which is not how I wish to handle
> Any thoughts on what might be going on would be greatly appreciated!
I believe the issue is that the AUTO_IDS_DANGER_LEVEL is too high for
what you want here. The scan log message above shows that psad has
assigned a danger level of 2 as a result of the Snort rule match. But,
the AUTO_IDS_DANGER_LEVEL variable provides a way for you to set the
minimum danger level that a scan or attack must reach before the source
IP is blocked. If you set this variable to 2, then I think it should
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
psad-discuss mailing list