On Sat, Apr 4, 2015 at 11:23 PM, Paul F. Versloot <paulversl...@gmail.com>

>  Hello out there,

I meant to respond to this and didn't make it until now, apologies. If you
are still running psad, here are a few responses to your questions below:

> For several weeks, I've got Shorewall happily configured on my Linux
> box. All the possible multicast- and broadcast addresses are logged, but
> there is no annoying email-warning-alert of the local router broadcast
> anymore!. (so finally the Shorewall-firewall is properly configured and
> Psad for about +/-80%

Ok, that sounds good.

> My configuration is as follows:
> Shorewall in combination with Psad v2.2.1 on Ubuntu 14.04.1 LTS
> (x32).
> My question is:
> How do I set the options to quickly autoblock ipv4-addresses with Psad,
> when somebody is tracing open ports of the firewall (net zone of course)
> with nMap in stealth mode (scanning all the TCP ports, with a Windows
> nMap it takes about 1.5 hour).
> Last week, I've got several waring emails (from Psad of course) AFTER
> 1.5 HOUR, with a test with nMap and the above options. (scanning option
> all UDP ports, had the same result).
> My goal is very simple:
> If anyone is scanning a port of my firewall, or a (little) range, I
> would like to autoblock the IP-address automatically and immediately.
> (of course Psad must send direct an alert to the system account)
> This test was last week successful, but far to slow and with to much
> Psad emails.
> After filtering all the Psad (false positive warnings about all the
> *-casts) AND altering a few configuration parameters in the Psad config-
> file, a same rescan didn't autoblock and alert at all...
> With shorewall, I USE 3 levels of logging (filtered bij RSyslogd ->
> shorewall.log):
> 1. INFO
> 2. WARN(ing)
> 3. none(!)
> All the logs of the Shorewall specific iptables and netfilter rules
> are filtered only to the shorewall.log file, with the standard default
> prefix.
> The changes I've made in Psad were the following (I've lowered the
> original values):
>         ### Danger levels.  These represent the total number of
>         ### packets required for a scan to reach each danger level.
>         ### A scan may also reach a danger level if the scan trips
>         ### a signature or if the scanning ip is listed in
>         ### auto_ips so a danger level is automatically
>         ### assigned.
>         DANGER_LEVEL1               5;    ### Number of packets.
>         DANGER_LEVEL2               10;
>         DANGER_LEVEL3               50;
>         DANGER_LEVEL4               100;
>         DANGER_LEVEL5               1000;
> Does anybody know how to trigger fast (very fast) an email out of the
> Shorewall logfile into the Psad warning email AND block automatically the
> IP?
> (unblocking is easy witch Psad --flush :-)
> Schould I change the Psad config file or higher the logging levels (1-7)
> ie. WARN(ing) -> CRIT(ical)?

The syslog logging levels should not need to be adjusted since psad is
seeing all of the iptables log messages, correct?

Either way, you had mentioned that the scanning method is a stealth scan,
so are you referring to a FIN scan, NULL scan, or XMAS scan? If so, and you
are mostly concerned about these types of scans vs. other types (like a SYN
scan), then you could set the danger level of the corresponding signature
to be very high in the /etc/psad/signatures file. This would have psad
raise the danger level upon seeing any of these scans, and therefore allow
the blocking mechanism to be triggered for these scans more rapidly than
others. Here is the FIN scan signature for example:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F;
reference:arachnids,27; classtype:attempted-recon; sid:621; psad_id:100066;

Just set "psad_dl:5" or whatever danger level you want.

On the other hand, if you are more concerned about blocking all types of
scans more quickly, then in addition to adjusting the DANGER_LEVEL values
like you have above, you can also lower the AUTO_IDS_DANGER_LEVEL setting.
It is likely that you are only seeing the blocks come through after 1.5
hours because the default setting for this variable is the highest danger
level (5), and that can be hard to trigger depending on what the attacker
is doing.



> I've you don't know how, thanks for reading anyway,
> Greetings,
> Paul F. Versloot
> ps: included, psad.conf; shorewall.conf, rules, zones, policy.
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

Michael Rash | Founder
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
psad-discuss mailing list

Reply via email to