On Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan <sir...@gmail.com>
wrote:

> Thanks for sharing, but just confirming as i am not native english
> speaker.
> correct me if i am wrong. what i am getting from your email is that,
> fwsnort daemon work individually and inspect all the traffic coming through
> the interface. ones its finds any packet matching in snore rule, it trigger
> and logs a code in iptables log so that PSAD can understand it. then
> further PSAD daemon find that log and perform its actions according to
> psad.conf.
>
> am i correct with the understanding?
>

Yes, that is correct.

--Mike




>
> Thanks,
>
>
> On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash <michael.r...@gmail.com>
> wrote:
>
>>
>> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan <sir...@gmail.com>
>> wrote:
>>
>>> Thanks for sharing Micheal it is very informative i will start working
>>> on this on monday.
>>> but i also have another question for my learning that iptables logs are
>>> very limited. and what PSAD does is just read the iptable logs and make the
>>> decisions set in conf file and signature file.
>>> i had experience working in fwsnort and fwsnort is run in conjunction
>>> with psad. and give psad the ability to read packets in more details. like
>>> it can find and trigger rules with mimetype and other deep level
>>> inspection. so my question is where psad read all the information of the
>>> packet because Firewall log is very limited it does not contain mime types
>>> or other deep packet information. as far as i know. because the firewall
>>> log i see in /var/log/messages does not contain any deep level information.
>>>
>>
>> If you are also running fwsnort, then the linkage between an fwsnort rule
>> match and psad is the Snort ID value. When fwsnort triggers on application
>> layer data (which of course is not natively included in any iptables log
>> message), then the iptables log prefix will include the SID in a string
>> like "SID12345" in the log message. psad is always looking for these
>> strings, and once it sees one, then it knows that fwsnort made a match
>> against application layer data.
>>
>> Thanks,
>>
>> --Mike
>>
>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash <michael.r...@gmail.com>
>>> wrote:
>>>
>>>>
>>>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sir...@gmail.com>
>>>> wrote:
>>>>
>>>>> HI,
>>>>>
>>>>> Can anyone please explain that how can i make custom rule.
>>>>> i can see rules in /etc/psad/signatures however i can not understand
>>>>> the format.
>>>>> can anyone throw some light on this.
>>>>>
>>>>> for example if i want to trigger an alarm and block IP if traffic
>>>>> found on 5060 TCP or UDP both.
>>>>>
>>>>> and
>>>>>
>>>>> for example if i want to block traffic on TCP flag bases.
>>>>>
>>>>
>>>> Sure, given the scenario you've described above, here is a candidate
>>>> signature:
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic";
>>>> flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)
>>>>
>>>> Note that some of the keywords like 'psad_derived_sids' etc. are
>>>> optional - the above rule should assign danger level 5 (the highest) to any
>>>> external IP that sends a SYN packet to TCP port 5060 (and when this packet
>>>> is logged by iptables of course). This will result in a dedicated alert
>>>> from psad. If you also want psad to block the source IP, then you would
>>>> need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf
>>>> file.
>>>>
>>>> Another way to look at this is that if you already know that you want
>>>> to block and IP that tries to communicate with port 5060, then you could
>>>> instantiate a default blocking rule in your iptables policy for such
>>>> traffic. Or, if you want to block IP's that try TCP flags that don't match
>>>> the normal sequence of flags as defined by TCP itself and tracked by the
>>>> iptables connection tracking code, then your policy could accept traffic
>>>> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that
>>>> are outside these criteria. In this case, psad can apply persistent
>>>> blocking rules to IP's that fall into this category. For example, you could
>>>> change the "flags: S;" in the rule above to "flags: F;" if you want to
>>>> block IP's that issue a FIN scan.
>>>>
>>>> Thanks,
>>>>
>>>> --Mike
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> any help will be highly appreciated.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> MYK
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> psad-discuss mailing list
>>>>> psad-discuss@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> psad-discuss mailing list
>>>> psad-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>
>>>>
>>>
>>
>>
>> --
>> Michael Rash | Founder
>> http://www.cipherdyne.org/
>> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> psad-discuss mailing list
>> psad-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>
>>
>


-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to