On Thu, Jun 06, 2013 at 11:30:50PM -0400, Michael Rash wrote:
> > ENABLE_AUTO_IDS             Y;
> > AUTO_BLOCK_TIMEOUT          86400;
> > AUTO_BLOCK_REGEX            SID;  ### from fwsnort logging prefixes
> > 
> > I cannot get psad to initiate any banning action (unless I explicitly
> > add an entry to snort_rule_dl (which is not how I wish to handle
> > management)).
> > 
> > Any thoughts on what might be going on would be greatly appreciated!
> I believe the issue is that the AUTO_IDS_DANGER_LEVEL is too high for
> what you want here.  The scan log message above shows that psad has
> assigned a danger level of 2 as a result of the Snort rule match.  But,
> the AUTO_IDS_DANGER_LEVEL variable provides a way for you to set the
> minimum danger level that a scan or attack must reach before the source
> IP is blocked.  If you set this variable to 2, then I think it should
> work.

You are right -- I was interpretting these, and hoping to use them, as
two independent features rather than not.

A "blanket banning" ability seems useful since the correct danger
levels of a port scan don't necessarily reflect the nature or correct
levels of an attack. The snort_rule_dl functionality does help close
this gap (since you can then effectively say "This didn't trigger
a danger level since it's only 1 or 2 packets, but it sure is
worrisome so let's make sure it gets elevated + banned"), however,
as your ruleset grows, it becomes less practical to add and manage
one-to-one mappings.

I wonder, then, what sort of best practice or sweet spot exists.
fwsnort, for example, ships with over 2800 snort rules and the
emergingthreats ruleset is crazy at over 12000. Of course, only
60-70% of these will translate, and perhaps there's some (or a lot)
of overkill in these, but still.

Any thoughts or advice?

Thanks again!

How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
psad-discuss mailing list

Reply via email to