Hi Mike, Thank you for the reply. :)
I am wondering if the emerging threat pro rules would be much better in term of caching DDOS and such. I am wondering if anyone know a list of updated IP Reputation list which we can parse into fwsnort so it would be dropped by default. From what I know webroot maintains such list but it is not open source. Regards, Edy On 10/17/2012 11:17 AM, Michael Rash wrote: > On Oct 15, 2012, Pui Edylie wrote: > >> Dear Members, > Hello, > >> I have started using psad with fwsnort and it is awesome! >> >> I have received alerts but they are not clear to me as it did not >> include the msg: field for the description >> >> Right now I have to manually open up fwsnort.save to search for >> SID2013222 to figure out what it is. >> >> Is there anyway we could include the info? > By default, psad parses Snort rules for the msg: field out of the > /etc/psad/snort_rules/ directory. I suspect that the signature > SID2013222 is not contained within this directory - e.g. there is a > difference between the signatures running under fwsnort vs. those that > psad knows about. I should probably update psad to also parse > signatures out of /etc/fwsnort/snort_rules/, but in the meantime you > could add the signature to a file in the /etc/psad/snort_rules/ > directory. > > Thanks, > > --Mike > > >> Thank you! >> >> =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= >> >> >> Danger level: [1] (out of 5) >> >> Scanned TCP ports: [55016: 3 packets] >> TCP flags: [ACK: 3 packets] >> iptables chain: FWSNORT_FORWARD_ESTAB (*prefix "[929] SID2013222 >> ESTAB"*), 3 packets >> fwsnort rule: 929 >> >> Source: xxxxx >> DNS: xxxxxx >> >> Destination: xxxxx >> DNS: [No reverse dns info available] >> >> Overall scan start: Mon Oct 15 20:16:16 2012 >> Total email alerts: 7 >> Complete TCP range: [24722-55016] >> Syslog hostname: bgp2 >> >> Global stats: chain: interface: TCP: UDP: ICMP: >> FORWARD bond2 4 0 0 >> >> [+] Whois Information (source IP): >> Unknown AS number or IP network. Please upgrade this program. >> >> =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= >> >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> psad-discuss mailing list >> psad-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/psad-discuss > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
