Thanks Michael Rash, you cleared my confusion. i was always confused about
the way they work together.
Thanks for designing such a wonderful product.


On Tue, Nov 11, 2014 at 6:29 PM, Michael Rash <michael.r...@gmail.com>
wrote:

>
> On Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan <sir...@gmail.com>
> wrote:
>
>> Thanks for sharing, but just confirming as i am not native english
>> speaker.
>> correct me if i am wrong. what i am getting from your email is that,
>> fwsnort daemon work individually and inspect all the traffic coming through
>> the interface. ones its finds any packet matching in snore rule, it trigger
>> and logs a code in iptables log so that PSAD can understand it. then
>> further PSAD daemon find that log and perform its actions according to
>> psad.conf.
>>
>> am i correct with the understanding?
>>
>
> Yes, that is correct.
>
> --Mike
>
>
>
>
>>
>> Thanks,
>>
>>
>> On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash <michael.r...@gmail.com>
>> wrote:
>>
>>>
>>> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan <sir...@gmail.com>
>>> wrote:
>>>
>>>> Thanks for sharing Micheal it is very informative i will start working
>>>> on this on monday.
>>>> but i also have another question for my learning that iptables logs are
>>>> very limited. and what PSAD does is just read the iptable logs and make the
>>>> decisions set in conf file and signature file.
>>>> i had experience working in fwsnort and fwsnort is run in conjunction
>>>> with psad. and give psad the ability to read packets in more details. like
>>>> it can find and trigger rules with mimetype and other deep level
>>>> inspection. so my question is where psad read all the information of the
>>>> packet because Firewall log is very limited it does not contain mime types
>>>> or other deep packet information. as far as i know. because the firewall
>>>> log i see in /var/log/messages does not contain any deep level information.
>>>>
>>>
>>> If you are also running fwsnort, then the linkage between an fwsnort
>>> rule match and psad is the Snort ID value. When fwsnort triggers on
>>> application layer data (which of course is not natively included in any
>>> iptables log message), then the iptables log prefix will include the SID in
>>> a string like "SID12345" in the log message. psad is always looking for
>>> these strings, and once it sees one, then it knows that fwsnort made a
>>> match against application layer data.
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash <michael.r...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sir...@gmail.com
>>>>> > wrote:
>>>>>
>>>>>> HI,
>>>>>>
>>>>>> Can anyone please explain that how can i make custom rule.
>>>>>> i can see rules in /etc/psad/signatures however i can not understand
>>>>>> the format.
>>>>>> can anyone throw some light on this.
>>>>>>
>>>>>> for example if i want to trigger an alarm and block IP if traffic
>>>>>> found on 5060 TCP or UDP both.
>>>>>>
>>>>>> and
>>>>>>
>>>>>> for example if i want to block traffic on TCP flag bases.
>>>>>>
>>>>>
>>>>> Sure, given the scenario you've described above, here is a candidate
>>>>> signature:
>>>>>
>>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060
>>>>> traffic"; flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)
>>>>>
>>>>> Note that some of the keywords like 'psad_derived_sids' etc. are
>>>>> optional - the above rule should assign danger level 5 (the highest) to 
>>>>> any
>>>>> external IP that sends a SYN packet to TCP port 5060 (and when this packet
>>>>> is logged by iptables of course). This will result in a dedicated alert
>>>>> from psad. If you also want psad to block the source IP, then you would
>>>>> need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf
>>>>> file.
>>>>>
>>>>> Another way to look at this is that if you already know that you want
>>>>> to block and IP that tries to communicate with port 5060, then you could
>>>>> instantiate a default blocking rule in your iptables policy for such
>>>>> traffic. Or, if you want to block IP's that try TCP flags that don't match
>>>>> the normal sequence of flags as defined by TCP itself and tracked by the
>>>>> iptables connection tracking code, then your policy could accept traffic
>>>>> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those 
>>>>> that
>>>>> are outside these criteria. In this case, psad can apply persistent
>>>>> blocking rules to IP's that fall into this category. For example, you 
>>>>> could
>>>>> change the "flags: S;" in the rule above to "flags: F;" if you want to
>>>>> block IP's that issue a FIN scan.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --Mike
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> any help will be highly appreciated.
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> MYK
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> psad-discuss mailing list
>>>>>> psad-discuss@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> psad-discuss mailing list
>>>>> psad-discuss@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Michael Rash | Founder
>>> http://www.cipherdyne.org/
>>> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> psad-discuss mailing list
>>> psad-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>
>>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to