Thanks for sharing Micheal it is very informative i will start working on
this on monday.
but i also have another question for my learning that iptables logs are
very limited. and what PSAD does is just read the iptable logs and make the
decisions set in conf file and signature file.
i had experience working in fwsnort and fwsnort is run in conjunction with
psad. and give psad the ability to read packets in more details. like it
can find and trigger rules with mimetype and other deep level inspection.
so my question is where psad read all the information of the packet because
Firewall log is very limited it does not contain mime types or other deep
packet information. as far as i know. because the firewall log i see in
/var/log/messages does not contain any deep level information.



Thanks,


On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash <michael.r...@gmail.com> wrote:

>
> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sir...@gmail.com>
> wrote:
>
>> HI,
>>
>> Can anyone please explain that how can i make custom rule.
>> i can see rules in /etc/psad/signatures however i can not understand the
>> format.
>> can anyone throw some light on this.
>>
>> for example if i want to trigger an alarm and block IP if traffic found
>> on 5060 TCP or UDP both.
>>
>> and
>>
>> for example if i want to block traffic on TCP flag bases.
>>
>
> Sure, given the scenario you've described above, here is a candidate
> signature:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic";
> flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)
>
> Note that some of the keywords like 'psad_derived_sids' etc. are optional
> - the above rule should assign danger level 5 (the highest) to any external
> IP that sends a SYN packet to TCP port 5060 (and when this packet is logged
> by iptables of course). This will result in a dedicated alert from psad. If
> you also want psad to block the source IP, then you would need to set the
> ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file.
>
> Another way to look at this is that if you already know that you want to
> block and IP that tries to communicate with port 5060, then you could
> instantiate a default blocking rule in your iptables policy for such
> traffic. Or, if you want to block IP's that try TCP flags that don't match
> the normal sequence of flags as defined by TCP itself and tracked by the
> iptables connection tracking code, then your policy could accept traffic
> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that
> are outside these criteria. In this case, psad can apply persistent
> blocking rules to IP's that fall into this category. For example, you could
> change the "flags: S;" in the rule above to "flags: F;" if you want to
> block IP's that issue a FIN scan.
>
> Thanks,
>
> --Mike
>
>
>
>>
>>
>> any help will be highly appreciated.
>>
>>
>> Thanks,
>> MYK
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> psad-discuss mailing list
>> psad-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to