On Thu, Jun 06, 2013 at 11:30:50PM -0400, Michael Rash wrote: > > ENABLE_AUTO_IDS Y; > > AUTO_IDS_DANGER_LEVEL 4; > > AUTO_BLOCK_TIMEOUT 86400; > > ENABLE_AUTO_IDS_REGEX Y; > > AUTO_BLOCK_REGEX SID; ### from fwsnort logging prefixes > > > > I cannot get psad to initiate any banning action (unless I explicitly > > add an entry to snort_rule_dl (which is not how I wish to handle > > management)). > > > > Any thoughts on what might be going on would be greatly appreciated! > > I believe the issue is that the AUTO_IDS_DANGER_LEVEL is too high for > what you want here. The scan log message above shows that psad has > assigned a danger level of 2 as a result of the Snort rule match. But, > the AUTO_IDS_DANGER_LEVEL variable provides a way for you to set the > minimum danger level that a scan or attack must reach before the source > IP is blocked. If you set this variable to 2, then I think it should > work.
Advertising
You are right -- I was interpretting these, and hoping to use them, as two independent features rather than not. A "blanket banning" ability seems useful since the correct danger levels of a port scan don't necessarily reflect the nature or correct levels of an attack. The snort_rule_dl functionality does help close this gap (since you can then effectively say "This didn't trigger a danger level since it's only 1 or 2 packets, but it sure is worrisome so let's make sure it gets elevated + banned"), however, as your ruleset grows, it becomes less practical to add and manage one-to-one mappings. I wonder, then, what sort of best practice or sweet spot exists. fwsnort, for example, ships with over 2800 snort rules and the emergingthreats ruleset is crazy at over 12000. Of course, only 60-70% of these will translate, and perhaps there's some (or a lot) of overkill in these, but still. Any thoughts or advice? Thanks again! ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
