i put the ip address in auto_dl and set the danger level to zero like this.

192.168.x.1    0;
10.x.x.240   0;

please correct me if i am wrong with the understanding that, the setting
above, does above settings mean that any detected  packet shell not be
considered as attack. thus an email notification and log message will not
be generated?

i have two question.

1. how should i stop detection of false alarm of legitimate hosts.
2. is there any option to restrict  false alarm per host per signature
    e.g i do not want only 1 specific signature to be triggered against
only 1 specific host.  i do not want to change the danger level of
signature nor host individually.

here is my psad notification email that i am receiving (lots of emails)

         Danger level: [4] (out of 5)

         icmp packets: [4]
       iptables chain: FWSNORT_INPUT (prefix "[6069] SID401"), 4 packets
         fwsnort rule: 6069
               Source: 192.168.x.1
                  DNS: [No reverse dns info available]

          Destination: 192.168.x.21
                  DNS: [No reverse dns info available]

   Overall scan start: Tue Nov  5 12:44:48 2013
   Total email alerts: 691
      Syslog hostname: firewall

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    eth1        icmp       3574

my alertemail settings are like this in psad.conf file
MIN_DANGER_LEVEL            1;

however i am still getting DL2 type alerts. is there anything more i could
do to only log alerts from level 1 to 2 and for above levels i need alert
in log  and email.


November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
psad-discuss mailing list

Reply via email to