On Thu, Jul 17, 2014 at 12:13 AM, Steve Murphy <m...@parsetree.com> wrote:
>
> Hello!
>
>
Hello Steve,
> I am not understanding how I implement the AUTO_IDS stuff...
> things aren't working as expected...
>
> I have these settings, cutting out perhaps most...
>
> ENABLE_AUTO_IDS Y;
> AUTO_IDS_DANGER_LEVEL 3;
> ENABLE_AUTO_IDS_REGEX N;
> IPTABLES_BLOCK_METHOD Y;
>
> IPT_AUTO_CHAIN1 DROP, src, filter, drop-rules-INPUT, 1, PSAD_BLOCK_INPUT,
> 1;
> IPT_AUTO_CHAIN2 DROP, dst, filter, drop-rules-OUTPUT, 1,
> PSAD_BLOCK_OUTPUT, 1;
> IPT_AUTO_CHAIN3 DROP, both, filter, drop-rules-FORWARD, 1,
> PSAD_BLOCK_FORWARD, 1;
>
>
> Somehow, I got the idea that psad would create the PSAD_BLOCK_* chains
> and
> insert the jumps to those blocks in the appropriate drop-rules-* chains...
>
>
Those variables look good.
psad does indeed create the jump rules you mention above, but it doesn't do
this until there is an IP that needs to be blocked. The reason for this is
that psad checks for the jump rules every time an IP is to be blocked
anyway (in order to make sure that the block would take effect). So,
instead of also doing this an init time, it just lets the "default" check
take over when there is an IP to be blocked.
Thanks,
--Mike
> But all it seemed to do is verify that the
> drop-rules-(INPUT,OUTPUT,FORWARD) chains
> are there, and that the PSAD_BLOCK_(INPUT,OUTPUT,FORWARD) chains are
> there...
>
> using psad --debug, I see these kinds of commands issued for each of
> (INPUT, OUTPUT, FORWARD):
>
> iptables -t filter -v -n -L drop-rules-INPUT
>
> and then, later,
>
> iptables -t filter -v -n -L PSAD_BLOCK_INPUT
> iptables -t filter -F PSAD_BLOCK_INPUT
>
> So, my question is: if users are responsible for making sure all the
> PSAD_BLOCK_*
> chains exist before starting psad, then why do we have to mention the
> parent chain
> at all? Who cares?
>
>
> murf
>
>
>
>
> --
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ✉ murf at parsetree dot com
> ☎ 307-899-5535
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
