In debian squeeze there is an old version of "psad" placed in the repo. it
seems like issue is resolved after compiling from source  the new version.
which is 2.2.1


On Mon, Nov 4, 2013 at 9:19 PM, Muhammad Yousuf Khan <sir...@gmail.com>wrote:

> here is some of my finding, so this might help to understand the problem.
>
> when i change the danger level of IP in "auto_dl" file
> it worked, on first packet it detect and block the IP
> here is the result.
>
>  SID1087 ESTAB IN=eth0 OUT=
> MAC=76:25:30:17:9f:ae:00:21:91:8b:31:              54:08:00
> SRC=10.51.100.17 DST=10.51.100.22 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27882
> DF PROTO=TCP SPT=58315 DPT=80 WINDO              W=123 RES=0x00 ACK URGP=0
> OPT (0101080A877AFB3B04D8859C)
> Nov  4 21:07:40 firewall psad: auto-assigned danger level: 5 for IP:
> 10.x.x.17
> and then successfully block the IP too.
>
> but this not happinning with snort_rule_dl file Danger level variable set.
>
> i set the danger level some thing like this ( of course for testing)
>
> Level 1  5 pkt
> level 2   6 pkt
> level 3   7 pkt
> level 4   8 pkt
> level 5   10 pkt
>
> then i restart psad
>
> no matter how many packet i generate, nothing happens specifically talking
> about this command
> "lynx http://10.x.x.22/Setup.php";
>
> no email has been logged.
> even i set email level to 1. so that at least packet reach 5 pkg which is
> danger level 1, then it should generate the packet, however this is also
> not happening.
>
> snort_rule_dl file is also not working; i wanted to change the danger
> level of SID 2281 like this
>
> echo "2281 5;" >> /etc/psad/snort_rules_dl
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Nov 4, 2013 at 6:42 PM, Muhammad Yousuf Khan <sir...@gmail.com>wrote:
>
>> MY Firewall ip is 10.x.x.22
>>
>> this is my /etc/psad/psad.conf
>>
>> ENABLE_AUTO_IDS Y;
>> AUTO_IDS_DANGER_LEVEL 4;
>> AUTO_BLOCK_TIMEOUT 3600;
>> ENABLE_AUTO_IDS_REGEX Y;
>> AUTO_BLOCK_REGEX ESTAB;
>>
>>
>> let me explain my question in 3 steps.
>>
>> i am trigger Metasploit SID 2281
>>
>> Part 1 - when i am trying to "lynx http://10.x.x.22/Setup.php"; ( As
>> written in the book)
>> my Firewall detect log like this
>>
>>  SID2281 ESTAB IN=eth0 OUT= MAC=79:29:39:17:9f:ae:00:e0:4a:10:02:90:08:00
>> SRC=10.x.x.16 DST=10.x.x.22 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=21693 DF
>> PROTO=TCP SPT=51727 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT
>> (0101080A3F334FE504AC6651)
>>
>>
>> if PSAD is restarted it keep generating the log but PSAD do not block it
>> no matter how many time i use "lynx" it keeps generating the log. but PSAD
>> doesnt show any sign of detection.
>>
>> Part 2 - but when i run NMAP scan
>> it doesnt do anything either as i am using "ENABLE_AUTO_IDS_REGEX Y;"
>>
>>
>> Part 3- this is the importent part, now when after all above i type
>> ""lynx http://10.x.x.22/Setup.php"; Psad not just detect the log but even
>> block the Source.
>>
>>
>>
>> First i thought it is due to packet count, and packets are not leaching
>> to level 1 (5 packets)
>>
>> so i add "2281   4;"  in /etc/psad/snort_rules_dl
>> and my danger level is set to "3" which means it should have been blocked
>> as 4 is higher regardless of Packet count.
>>
>>
>> root@firewall:/var/lib/fwsnort# psad -S  | grep 2281
>>       "[7363] SID2281 ESTAB": 24
>>
>>
>>
>> Any idea why it is happenning.
>>
>> it is will all IPs, at least i have to "nmap" 1 time from the IP then
>> "lynx" to trigger the error.
>>
>>
>> Thanks.
>>
>
>
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to