On Nov 09, 2009, Sim?n wrote:
> Hi,
Hello,
> I am using PSAD Version: 2.1.5 (file revision: 2253).
> I have writen, in my auto_dl file, the next rule:
>
> 91.121.0.0/161udp/137-138;
>
> Nevertheless I am still receiving emails with the following
> information:
>
> Danger level: [3] (out of 5)
>
> Scanned UDP ports: [138: 7 packets, Nmap: -sU]
> iptables chain: INPUT (prefix "Inbound"), 7 packets
>
> Source: 91.121.220.64
>DNS: ns305492.ovh.net
>
>Destination: xx.xxx.xxx.xxx
>DNS:
>
> Overall scan start: Mon Nov 9 11:49:54 2009
> Total email alerts: 3
> Complete UDP range: [137-138]
>
>
> In this post you can see that the danger level is still 3.
> This exception works if I write it in this manner:
>
>91.121.0.0/160udp/137-138;
>
> IMHO, this is a bug, no?
psad uses the automatic danger level assignments as follows:
- For any non-zero auto danger level, if the current matching scan
exceeds this level then the scan is promoted to the higher level.
- For all zero auto danger levels, any matching scan is ignored.
So, the above makes sense since the auto danger level is 1 but the
scan persisted and exceeded this value. This is mostly useful if
you want to make sure that certain scan activity is promoted quickly
(for auto-blocking rules for example).
Thanks,
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
