Re: [psad-discuss] Confusing alert from Psad

2013-10-29 Thread Michael Rash 
On Oct 29, 2013, Muhammad Yousuf Khan wrote:

 [cut]
 psad offers scan detection that is beyond what can be expressed within
 
  the signature set.  The NULL scan detection message was generated from
  the non-signature portion of psad.
 
 
 actually i like the way it worked, it clear lots of my IDS/IPS concepts. so
 i like to read it more in dept.
 
 E.g like there is a signature file in psad directory. i saw the patterns of
 signatures, how it detect the packet from the log. is there any file where
 i can see those extra patterns for non signature detection.

Non-signature detection is implemented in code.  Actually signature
detection is implemented in code too - you can think of each signature
as a highly expressive configuration for how the code treats incoming
data.  When the signature language does not support something that is
useful for attack detection, it becomes a choice as to whether it is
worth trying to extend the signature language itself or write code to
support better detection without modifying the language.

Depending on how deep you want to go, it is probably worth starting with
going through all of the psad.conf variables and associated comments,
and from there taking a look at the psad code itself.

--Mike

   why Null scan didn't showed the signature against which this alert
   triggered.
 
  Having said the above, there is also a NULL scan signature that appears
  not to have fired, and I believe this is a minor bug that will be
  corrected in the next version.
 
 
 yes, i observe that too, there was a Null signature which hasn't been
 trigger. no problem i am fine as far as it is detecting, one way or another.
 
 
  Thanks,
 
  --Mike
 

 --
 Android is increasing in popularity, but the open development platform that
 developers love is also attractive to malware creators. Download this white
 paper to learn more about secure code signing practices that can help keep
 Android apps secure.
 http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk

 ___
 psad-discuss mailing list
 psad-discuss@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/psad-discuss


--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk
___
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

[psad-discuss] Confusing alert from Psad

2013-10-28 Thread Muhammad Yousuf Khan 
i am using nmap for scanning NULL and XMAS

here is the log


XMAS log:

 src: 10.x.x.17 signature match: SCAN nmap XMAS (sid: 1228) tcp port: 765
Oct 28 21:03:38 firewall
psad: scan detected: 10.x.x.17 - 10.x.x.22 tcp: [1-65389] flags: URG PSH
FIN tcp pkts: 2000 DL: 5


Null Scan log:
psad: scan detected: 10.x.x.17 - 10.x.x.22 tcp: [1-65389] flags: NULL tcp
pkts: 1990 DL: 5



why Null scan didn't showed the signature against which this alert
triggered.


Thanks,

MYK
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register 
http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss