Hello All,
i am trying to test packet count ability of psad with danger level and
setup danger level in "psad.conf" like this.
(i change the DL values for my testing only)
DANGER_LEVEL1 2;
DANGER_LEVEL2 4;
DANGER_LEVEL3 6;
DANGER_LEVEL4 8;
DANGER_LEVEL5 10;
AUTO_IDS_DANGER_LEVEL 3;
as per above setting if a packet count reach "6" of any signature it should
be blocked (please correct me if i am wrong)
i am using "WEB-PHP Setup.php access Attack" as describe in a book.
everything is working on-order "packet-counter", signature detection by
snort and psad etc.
but one thing i can not understand is a purpose of packet count and how
psad make decision on packet count from the attack.
by default "WEB-PHP Setup.php access Attack" has a DL2.
from host i am trying to generate the attack packet by packet. with blow
command
"lynx http://10.x.x.22/Setup.php";
attack is detected on firewall wil below log, which is good sign
psad: src: 10.51.100.17 signature match: "WEB-PHP Setup.php access" (sid:
2281) tcp port: 80 fwsnort chain: FWSNORT_INPUT_ESTAB rule: 7363
As per my setting shared above from my psad.conf, which means when packet
count reach to "6" block the host. however it is not happening
here is my "psad -S" output
[+] IP Status Detail:
SRC: 10.51.100.17, DL: 2, Dsts: 1, Pkts: 13, Total protocols: 1, Unique
sigs: 1, Email alerts: 8, Local IP
as you can see in the output packet has reached to count "13" but no block
has been triggered from psad.
as what i am perceiving from my testing "DL2" rules always be DL2 no matter
how much the packet count is, in order to make things work according to my
need, i have to change the danger level of specified attack/SID in
"snort_rule_dl" file manually and this is the only option.packet count will
not work if the default DL level of signature is below the value of
"AUTO_IDS_DANGER_LEVEL"
is my understanding from the above testing is correct?
if above is correct then my question is how packet count really works?
Thanks,
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
