Thanks for the responce i appreciate that. i just started reading.
"Attack Detection and Response with iptables, psad, and fwsnort"
Excellent book


On Sun, Oct 27, 2013 at 5:35 AM, Michael Rash <m...@cipherdyne.org> wrote:

> On Oct 25, 2013, Muhammad Yousuf Khan wrote:
>
> > I am using Shorewall and Psad on debian squeeze every thing is working
> > perfectly and as per the expectations but i can not make Psad to block
> the
> > IP.
> >
> > I am scanning firewall with from another linux host with NMP
> >
> > /var/log/messages (i will share in the end) shows that pscd is detecting
> > the packet but it is not putting the IP to block
> >
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC HP
> Web
> > JetAdmin communication attempt" (sid: 100084) tcp port: 8000
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "DOS
> arkiea
> > backup communication attempt" (sid: 282) tcp port: 617
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC
> > Microsoft PPTP communication attempt" (sid: 100082) tcp port: 1723
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC MS
> > Terminal Server communication attempt" (sid: 100077) tcp port: 3389
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC VNC
> > communication attempt" (sid: 100202) tcp port: 5900
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "POLICY
> > vncviewer Java applet communication attempt" (sid: 1846) tcp port: 5801
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "BACKDOOR
> > Infector.1.x Connection attempt" (sid: 100040) tcp port: 146
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "P2P
> napster
> > communication attempt" (sid: 100090) tcp port: 8888
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "BACKDOOR
> > GateCrasher Connection attempt" (sid: 147) tcp port: 6969
> > Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "P2P
> Napster
> > Client Data communication attempt" (sid: 564) tcp port: 5555
> > Oct 25 13:02:29 firewall psad: scan detected: 10.x.x.17 -> 10.x.x.22 tcp:
> > [3-65389] flags: SYN tcp pkts: 570 DL: 3
> >
> >
> >
> > i tried several times and i see the log every time however Psad is not
> > proactively blocking the IP.
>
> Ok, in order to have psad block the IP 10.x.x.17 above, you would to
> have the following variables set like this in the /etc/psad/psad.conf
> file:
>
> ENABLE_AUTO_IDS             Y;
> AUTO_IDS_DANGER_LEVEL       2;  ### this could be 3 instead if you like
> ENABLE_AUTO_IDS_REGEX       N;
> IPTABLES_BLOCK_METHOD       Y;
>
> Can you confirm this?
>
> Thanks,
>
> --Mike
>
>
> > Any idea plz help.
> >
> > Thanks,
> >
> > Myk
>
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> > the latest Intel processors and coprocessors. See abstracts and register
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
> > _______________________________________________
> > psad-discuss mailing list
> > psad-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to