Hello!
I am not understanding how I implement the AUTO_IDS stuff...
things aren't working as expected...
I have these settings, cutting out perhaps most...
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 3;
ENABLE_AUTO_IDS_REGEX N;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, drop-rules-INPUT, 1, PSAD_BLOCK_INPUT,
1;
IPT_AUTO_CHAIN2 DROP, dst, filter, drop-rules-OUTPUT, 1,
PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, drop-rules-FORWARD, 1,
PSAD_BLOCK_FORWARD, 1;
Somehow, I got the idea that psad would create the PSAD_BLOCK_* chains and
insert the jumps to those blocks in the appropriate drop-rules-* chains...
But all it seemed to do is verify that the
drop-rules-(INPUT,OUTPUT,FORWARD) chains
are there, and that the PSAD_BLOCK_(INPUT,OUTPUT,FORWARD) chains are
there...
using psad --debug, I see these kinds of commands issued for each of
(INPUT, OUTPUT, FORWARD):
iptables -t filter -v -n -L drop-rules-INPUT
and then, later,
iptables -t filter -v -n -L PSAD_BLOCK_INPUT
iptables -t filter -F PSAD_BLOCK_INPUT
So, my question is: if users are responsible for making sure all the
PSAD_BLOCK_*
chains exist before starting psad, then why do we have to mention the
parent chain
at all? Who cares?
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
