i hope that you guys are not minding my very newbie questions. actually i
am very new to IPS and still learning so please bear with me.

i want to share my finding and i think i narrow down the issue but i still
could not understand why there are two different behaviors of packet count.
because packet count just worked after port scanning attack detection
however it was not working with my previous illustrated attack (SID 2881)
as mentioned in my email.

Just FYI i have tweaked my packet level count like this.

DANGER_LEVEL1               2;
DANGER_LEVEL2               4;
DANGER_LEVEL3               15;
DANGER_LEVEL4               20;
DANGER_LEVEL5               25;


when i run ""lynx http://10.x.x.22/Setup.php"; command from host  20 times,
it generates 1 packet per command when it reach
packet count of 20. like example given below, the DL shows constantly 2.

[+] IP Status Detail:

SRC:  10.x.x.17, DL: 2, Dsts: 1, Pkts: 22, Total protocols: 1, Unique sigs:
1, Email alerts: 8, Local IP

however, when i scan the firewall/IPS(10.x.x.22) from a openBSD utility
from WebGUI, it generate 6 packets and trigger multiple snort rules as
illustrated below.

SRC:  10.x.x.25, DL: 3, Dsts: 1, Pkts: 18, Total protocols: 1, Unique sigs:
5, Email alerts: 3, Local IP

    DST: 10.x.x.22, Local IP
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
        Signature match: "GPL ICMP_INFO PING BSDtype"
            ICMP, Chain: INPUT, Count: 1, Sid: 2100368
        Signature match: "ICMP PING"
            ICMP, Chain: INPUT, Count: 2, Sid: 384
        Signature match: "GPL ICMP_INFO PING *NIX"
            ICMP, Chain: INPUT, Count: 1, Sid: 2100366
        Signature match: "ICMP PING *NIX"
            ICMP, Chain: INPUT, Count: 1, Sid: 366
        Signature match: "ICMP PING BSDtype"
            ICMP, Chain: INPUT, Count: 1, Sid: 368

this time amazingly, not just packet count working as per the psad.conf
danger level but it also increase the danger level as the packet count
crossing the packet-counter define in psad.conf.

as we can see this in email.

here is my first email when it crosses danger level 2. this is some of the

first email:

>Danger level: [2] (out of 5)
>         icmp packets: [6]
> Global stats:
>                       chain:   interface:  protocol:  packets:
>                      INPUT    eth0        icmp       12

Second email:
>Danger level: [3] (out of 5)
>         icmp packets: [6]
>         Global stats:
>                     chain:   interface:  protocol:  packets:
>                   INPUT    eth0        icmp       18

just after my second email Psad block the host as per my expectations.

Now my question is why packet-count handling two different-signatures

Thanks, i hope you guys did not my my poor english and i am not a native
speaker and i hope that you could also understand what i tried to explain.

i really appreciate your time and efforts.


November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
psad-discuss mailing list

Reply via email to