MY Firewall ip is 10.x.x.22

this is my /etc/psad/psad.conf

ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 4;
AUTO_BLOCK_TIMEOUT 3600;
ENABLE_AUTO_IDS_REGEX Y;
AUTO_BLOCK_REGEX ESTAB;


let me explain my question in 3 steps.

i am trigger Metasploit SID 2281

Part 1 - when i am trying to "lynx http://10.x.x.22/Setup.php"; ( As written
in the book)
my Firewall detect log like this

 SID2281 ESTAB IN=eth0 OUT= MAC=79:29:39:17:9f:ae:00:e0:4a:10:02:90:08:00
SRC=10.x.x.16 DST=10.x.x.22 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=21693 DF
PROTO=TCP SPT=51727 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT
(0101080A3F334FE504AC6651)


if PSAD is restarted it keep generating the log but PSAD do not block it no
matter how many time i use "lynx" it keeps generating the log. but PSAD
doesnt show any sign of detection.

Part 2 - but when i run NMAP scan
it doesnt do anything either as i am using "ENABLE_AUTO_IDS_REGEX Y;"


Part 3- this is the importent part, now when after all above i type ""lynx
http://10.x.x.22/Setup.php"; Psad not just detect the log but even block the
Source.



First i thought it is due to packet count, and packets are not leaching to
level 1 (5 packets)

so i add "2281   4;"  in /etc/psad/snort_rules_dl
and my danger level is set to "3" which means it should have been blocked
as 4 is higher regardless of Packet count.


root@firewall:/var/lib/fwsnort# psad -S  | grep 2281
      "[7363] SID2281 ESTAB": 24



Any idea why it is happenning.

it is will all IPs, at least i have to "nmap" 1 time from the IP then
"lynx" to trigger the error.


Thanks.
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to