On Jun 06, 2013, Jeremiah Rothschild wrote: > Hi Michael!
Hello Jeremiah, > I am trying to tie some fwsnort-generated rules into psad > so that, after their Netfilter log entry is encountered, an > automatic block is applied. Understood. > I've done a lot of troubleshooting, as well as read and > re-read the relevant sections in your "Linux Firewalls" book > (nice work on that, BTW!), but I can't seem to get it to > happen. Perhaps with your assistance I can get it to work > (or it can be tossed on a bug list). Thanks in advance! > > To begin with, I let fwsnort inject this SID237-based test > rule into my iptables policy: > > -A FWSNORT_FORWARD -p udp -m udp --dport 27444 -m string > --string "l44adsl" --algo bm -m comment --comment "sid:237; > msg:DDOS Trin00 Master to Daemon default password attempt; > classtype:attempted-dos; reference:arachnids,197; rev:2; > FWS:1.6.3;" -j LOG --log-ip-options --log-prefix "[10] SID237 " > > I then, remotely, exercise the rule and the appropriate > log entry is created (most notably we see the "[9] SID237" > log-prefix): > > [root@firewall ~]# grep SID237 /var/log/messages > Jun 6 11:11:11 firewall kernel: [80224.827665] [9] SID237 IN=eth1 OUT= > MAC=00:40:e8:c4:4a:f2:00:0b:b7:ef:4a:60:08:00 SRC=123.222.111.222 > DST=111.222.33.44 LEN=36 TOS=0x00 PREC=0x00 TTL=45 ID=65214 DF PROTO=UDP > SPT=45320 DPT=27444 LEN=16 That looks good - the iptables policy is working and string matching is happening based on the translated snort rule. > Further, because I have: > > SNORT_SID_STR SID; > > defined in psad.conf, psad also generates its own entries: > > Jun 6 11:11:43 fw1 psad: src: 124.213.66.97 signature match: "DDOS Trin00 > Master to Daemon default password attempt" (sid: 237) udp port: 27444 fwsnort > chain: FWSNORT_INPUT rule: 9 This looks good too since psad detects the snort rule match in the iptables log message. > Jun 6 11:11:43 fw1 psad: scan detected: 124.213.66.97 -> 61.111.111.16 udp: > [27444] udp pkts: 2 DL: 2 > > That all seems fine. However, even with psad.conf configured as so: > > ENABLE_AUTO_IDS Y; > AUTO_IDS_DANGER_LEVEL 4; > AUTO_BLOCK_TIMEOUT 86400; > ENABLE_AUTO_IDS_REGEX Y; > AUTO_BLOCK_REGEX SID; ### from fwsnort logging prefixes > > I cannot get psad to initiate any banning action (unless I explicitly > add an entry to snort_rule_dl (which is not how I wish to handle > management)). > > Any thoughts on what might be going on would be greatly appreciated! I believe the issue is that the AUTO_IDS_DANGER_LEVEL is too high for what you want here. The scan log message above shows that psad has assigned a danger level of 2 as a result of the Snort rule match. But, the AUTO_IDS_DANGER_LEVEL variable provides a way for you to set the minimum danger level that a scan or attack must reach before the source IP is blocked. If you set this variable to 2, then I think it should work. Thanks, --Mike > Regards, > > j ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
