On Jun 06, 2013, Jeremiah Rothschild wrote:

> Hi Michael!

Hello Jeremiah,

> I am trying to tie some fwsnort-generated rules into psad
> so that, after their Netfilter log entry is encountered, an
> automatic block is applied.


> I've done a lot of troubleshooting, as well as read and
> re-read the relevant sections in your "Linux Firewalls" book
> (nice work on that, BTW!), but I can't seem to get it to
> happen. Perhaps with your assistance I can get it to work
> (or it can be tossed on a bug list). Thanks in advance!
> To begin with, I let fwsnort inject this SID237-based test
> rule into my iptables policy:
> -A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string
> --string "l44adsl" --algo bm -m comment --comment "sid:237;
> msg:DDOS Trin00 Master to Daemon default password attempt;
> classtype:attempted-dos; reference:arachnids,197; rev:2;
> FWS:1.6.3;" -j LOG --log-ip-options --log-prefix "[10] SID237 "
> I then, remotely, exercise the rule and the appropriate
> log entry is created (most notably we see the "[9] SID237"
> log-prefix):
> [root@firewall ~]# grep SID237 /var/log/messages
> Jun  6 11:11:11 firewall kernel: [80224.827665] [9] SID237 IN=eth1 OUT=
> MAC=00:40:e8:c4:4a:f2:00:0b:b7:ef:4a:60:08:00 SRC=
> DST= LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP
> SPT=45320 DPT=27444 LEN=16 

That looks good - the iptables policy is working and string matching is
happening based on the translated snort rule.

> Further, because I have:
> SNORT_SID_STR               SID;
> defined in psad.conf, psad also generates its own entries:
> Jun  6 11:11:43 fw1 psad: src: signature match: "DDOS Trin00
> Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort
> chain: FWSNORT_INPUT rule: 9

This looks good too since psad detects the snort rule match in the
iptables log message.

> Jun  6 11:11:43 fw1 psad: scan detected: -> udp:
> [27444] udp pkts: 2 DL: 2
> That all seems fine. However, even with psad.conf configured as so:
> ENABLE_AUTO_IDS             Y;
> AUTO_BLOCK_TIMEOUT          86400;
> AUTO_BLOCK_REGEX            SID;  ### from fwsnort logging prefixes
> I cannot get psad to initiate any banning action (unless I explicitly
> add an entry to snort_rule_dl (which is not how I wish to handle
> management)).
> Any thoughts on what might be going on would be greatly appreciated!

I believe the issue is that the AUTO_IDS_DANGER_LEVEL is too high for
what you want here.  The scan log message above shows that psad has
assigned a danger level of 2 as a result of the Snort rule match.  But,
the AUTO_IDS_DANGER_LEVEL variable provides a way for you to set the
minimum danger level that a scan or attack must reach before the source
IP is blocked.  If you set this variable to 2, then I think it should



> Regards,
> j

How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
psad-discuss mailing list

Reply via email to