here is some of my finding, so this might help to understand the problem.

when i change the danger level of IP in "auto_dl" file
it worked, on first packet it detect and block the IP
here is the result.

 SID1087 ESTAB IN=eth0 OUT=
MAC=76:25:30:17:9f:ae:00:21:91:8b:31:              54:08:00
SRC=10.51.100.17 DST=10.51.100.22 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27882
DF PROTO=TCP SPT=58315 DPT=80 WINDO              W=123 RES=0x00 ACK URGP=0
OPT (0101080A877AFB3B04D8859C)
Nov  4 21:07:40 firewall psad: auto-assigned danger level: 5 for IP:
10.x.x.17
and then successfully block the IP too.

but this not happinning with snort_rule_dl file Danger level variable set.

i set the danger level some thing like this ( of course for testing)

Level 1  5 pkt
level 2   6 pkt
level 3   7 pkt
level 4   8 pkt
level 5   10 pkt

then i restart psad

no matter how many packet i generate, nothing happens specifically talking
about this command
"lynx http://10.x.x.22/Setup.php";

no email has been logged.
even i set email level to 1. so that at least packet reach 5 pkg which is
danger level 1, then it should generate the packet, however this is also
not happening.

snort_rule_dl file is also not working; i wanted to change the danger level
of SID 2281 like this

echo "2281 5;" >> /etc/psad/snort_rules_dl











On Mon, Nov 4, 2013 at 6:42 PM, Muhammad Yousuf Khan <sir...@gmail.com>wrote:

> MY Firewall ip is 10.x.x.22
>
> this is my /etc/psad/psad.conf
>
> ENABLE_AUTO_IDS Y;
> AUTO_IDS_DANGER_LEVEL 4;
> AUTO_BLOCK_TIMEOUT 3600;
> ENABLE_AUTO_IDS_REGEX Y;
> AUTO_BLOCK_REGEX ESTAB;
>
>
> let me explain my question in 3 steps.
>
> i am trigger Metasploit SID 2281
>
> Part 1 - when i am trying to "lynx http://10.x.x.22/Setup.php"; ( As
> written in the book)
> my Firewall detect log like this
>
>  SID2281 ESTAB IN=eth0 OUT= MAC=79:29:39:17:9f:ae:00:e0:4a:10:02:90:08:00
> SRC=10.x.x.16 DST=10.x.x.22 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=21693 DF
> PROTO=TCP SPT=51727 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT
> (0101080A3F334FE504AC6651)
>
>
> if PSAD is restarted it keep generating the log but PSAD do not block it
> no matter how many time i use "lynx" it keeps generating the log. but PSAD
> doesnt show any sign of detection.
>
> Part 2 - but when i run NMAP scan
> it doesnt do anything either as i am using "ENABLE_AUTO_IDS_REGEX Y;"
>
>
> Part 3- this is the importent part, now when after all above i type ""lynx
> http://10.x.x.22/Setup.php"; Psad not just detect the log but even block
> the Source.
>
>
>
> First i thought it is due to packet count, and packets are not leaching to
> level 1 (5 packets)
>
> so i add "2281   4;"  in /etc/psad/snort_rules_dl
> and my danger level is set to "3" which means it should have been blocked
> as 4 is higher regardless of Packet count.
>
>
> root@firewall:/var/lib/fwsnort# psad -S  | grep 2281
>       "[7363] SID2281 ESTAB": 24
>
>
>
> Any idea why it is happenning.
>
> it is will all IPs, at least i have to "nmap" 1 time from the IP then
> "lynx" to trigger the error.
>
>
> Thanks.
>
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to