i was trying to mitigate false alarm. i do not want to block normal ping
packet however if some one try to increase the size of the packet then it
should be blocked as per "AUTO_BLOCK_TIMEOUT"  i set block time to 3600
seconds.  i notice that when some one try to send large ping packets. they
are detected by

>>ICMP_INFO PING speedera" (sid: 2100480) icmp fwsnort chain:
>>FWSNORT_INPUT rule: 4566
>>"ICMP PING speedera" (sid: 480) icmp fwsnort chain: FWSNORT_INPUT rule:

therefore i set the danger level of above signature to 5 in snort_rules_dl
file like this
>>2100480 5;
>>480 5;

as you can see it is detecting and even blocking the host as in below log.
>>psad: added iptables auto-block against 182.x.x.100 (unlimited timeout)

but just after a minute i see this like
>>psad: removed iptables auto-block against 182.x.x.100

whe i see "psad -S: it shows me log showed below, but the point is my
AUTO_BLOCK_TIMEOUT is set to 3600 seconds

>>"Writing 182.x.x.100 to socket; psad will remove the IP
>>within 5 seconds"

so, the question is what is overriding the AUTO_BLOCK_TIMEOUT and "danger
level manually defined in snort_rule_dl file "

and how can i fix this problem?


November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
psad-discuss mailing list

Reply via email to