Thanks for sharing, but just confirming as i am not native english speaker.
correct me if i am wrong. what i am getting from your email is that,
fwsnort daemon work individually and inspect all the traffic coming through
the interface. ones its finds any packet matching in snore rule, it trigger
and logs a code in iptables log so that PSAD can understand it. then
further PSAD daemon find that log and perform its actions according to
psad.conf.

am i correct with the understanding?

Thanks,


On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash <michael.r...@gmail.com> wrote:

>
> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan <sir...@gmail.com>
> wrote:
>
>> Thanks for sharing Micheal it is very informative i will start working on
>> this on monday.
>> but i also have another question for my learning that iptables logs are
>> very limited. and what PSAD does is just read the iptable logs and make the
>> decisions set in conf file and signature file.
>> i had experience working in fwsnort and fwsnort is run in conjunction
>> with psad. and give psad the ability to read packets in more details. like
>> it can find and trigger rules with mimetype and other deep level
>> inspection. so my question is where psad read all the information of the
>> packet because Firewall log is very limited it does not contain mime types
>> or other deep packet information. as far as i know. because the firewall
>> log i see in /var/log/messages does not contain any deep level information.
>>
>
> If you are also running fwsnort, then the linkage between an fwsnort rule
> match and psad is the Snort ID value. When fwsnort triggers on application
> layer data (which of course is not natively included in any iptables log
> message), then the iptables log prefix will include the SID in a string
> like "SID12345" in the log message. psad is always looking for these
> strings, and once it sees one, then it knows that fwsnort made a match
> against application layer data.
>
> Thanks,
>
> --Mike
>
>
>>
>>
>>
>> Thanks,
>>
>>
>> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash <michael.r...@gmail.com>
>> wrote:
>>
>>>
>>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sir...@gmail.com>
>>> wrote:
>>>
>>>> HI,
>>>>
>>>> Can anyone please explain that how can i make custom rule.
>>>> i can see rules in /etc/psad/signatures however i can not understand
>>>> the format.
>>>> can anyone throw some light on this.
>>>>
>>>> for example if i want to trigger an alarm and block IP if traffic found
>>>> on 5060 TCP or UDP both.
>>>>
>>>> and
>>>>
>>>> for example if i want to block traffic on TCP flag bases.
>>>>
>>>
>>> Sure, given the scenario you've described above, here is a candidate
>>> signature:
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic";
>>> flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)
>>>
>>> Note that some of the keywords like 'psad_derived_sids' etc. are
>>> optional - the above rule should assign danger level 5 (the highest) to any
>>> external IP that sends a SYN packet to TCP port 5060 (and when this packet
>>> is logged by iptables of course). This will result in a dedicated alert
>>> from psad. If you also want psad to block the source IP, then you would
>>> need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf
>>> file.
>>>
>>> Another way to look at this is that if you already know that you want to
>>> block and IP that tries to communicate with port 5060, then you could
>>> instantiate a default blocking rule in your iptables policy for such
>>> traffic. Or, if you want to block IP's that try TCP flags that don't match
>>> the normal sequence of flags as defined by TCP itself and tracked by the
>>> iptables connection tracking code, then your policy could accept traffic
>>> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that
>>> are outside these criteria. In this case, psad can apply persistent
>>> blocking rules to IP's that fall into this category. For example, you could
>>> change the "flags: S;" in the rule above to "flags: F;" if you want to
>>> block IP's that issue a FIN scan.
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>
>>>
>>>>
>>>>
>>>> any help will be highly appreciated.
>>>>
>>>>
>>>> Thanks,
>>>> MYK
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> psad-discuss mailing list
>>>> psad-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> psad-discuss mailing list
>>> psad-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>
>>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
------------------------------------------------------------------------------
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to