On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sir...@gmail.com>
wrote:

> HI,
>
> Can anyone please explain that how can i make custom rule.
> i can see rules in /etc/psad/signatures however i can not understand the
> format.
> can anyone throw some light on this.
>
> for example if i want to trigger an alarm and block IP if traffic found on
> 5060 TCP or UDP both.
>
> and
>
> for example if i want to block traffic on TCP flag bases.
>

Sure, given the scenario you've described above, here is a candidate
signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic";
flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)

Note that some of the keywords like 'psad_derived_sids' etc. are optional -
the above rule should assign danger level 5 (the highest) to any external
IP that sends a SYN packet to TCP port 5060 (and when this packet is logged
by iptables of course). This will result in a dedicated alert from psad. If
you also want psad to block the source IP, then you would need to set the
ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file.

Another way to look at this is that if you already know that you want to
block and IP that tries to communicate with port 5060, then you could
instantiate a default blocking rule in your iptables policy for such
traffic. Or, if you want to block IP's that try TCP flags that don't match
the normal sequence of flags as defined by TCP itself and tracked by the
iptables connection tracking code, then your policy could accept traffic
via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that
are outside these criteria. In this case, psad can apply persistent
blocking rules to IP's that fall into this category. For example, you could
change the "flags: S;" in the rule above to "flags: F;" if you want to
block IP's that issue a FIN scan.

Thanks,

--Mike



>
>
> any help will be highly appreciated.
>
>
> Thanks,
> MYK
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to