Re: [psad-discuss] Debian Etch no scan detected
First of all; thanks for the help, Michael and Franck. I've been using the backported versions for now and first of all I noticed it seemed to be much quicker than the old version, which is always a plus. I'll be doing some further testing, I noticed a couple of packetcounts not matching, but the cause of that was several ssh packets. :) I'll report back if I do find anything but I'm hopeful. _ Hotmail: gratis krachtige e-mail met beveiliging van Microsoft. https://signup.live.com/signup.aspx?id=60969-- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Debian Etch no scan detected
On Mar 24, 2010, marco arts wrote: > > Hello people, > > I've been tinkering with psad for a little while now and I've been > working it into a small firewall script that's going to be running on > virtual servers. These are going to be running debian etch/lenny and > will have different kernel versions and other things I had to take into > consideration. I'm running these machines on my workstation using > Virtualbox and they're using the closest kernel to those used on the > live environment. > > Now I've ran into trouble with my debian etch test environment, namely > it won't show the scans with the Status command. > I get the following output(Some info stripped): > > [+] psad (pid: 5341) %CPU: 0.0 %MEM: 7.9 > Running since: Mon Mar 15 12:25:40 2010 > Command line arguments: -c /etc/psad/psad.conf > Alert email address(es): r...@localhost > > [No scans detected] > > Netfilter prefix counters: > [NONE] > > Total scan sources: 0 > Total scan destinations: 0 > > Total packet counters: > tcp: 3915 > udp: 192 > icmp: 0 > > If I go to /var/log/psad/ and tail the packet counter I'll get the > following output: > > debianetch:~# tail /var/log/psad/192.168.1.125/192.168.1.130_packet_ctr > INPUT_eth0_tcp: 1960 [1-65389] > > Now this disparity between the packet counts is boggling my mind. I > thought it could be due to my virtual test environment, but this doesn't > happen with debian lenny. I further tested this and it'd lead to the > autoblock activating at the default 15.000packets while it was reporting > only ~12.000 packets. > > Some extra information: > Debian Etch machine: > Linux debianetch 2.6.18-6-686 #1 SMP Tue Mar 23 11:40:03 UTC 2010 i686 > GNU/Linux > [+] psad v1.4.8, by Michael Rash I agree with Franck that the 1.4.8 release is very old, and it is interesting that it doesn't happen on the debian lenny system with the 2.1.3 release. One thing to note is that the "Total packet counters" output shows all of the packet that psad has analyzed from the iptables log. It is entirely possible that the results of this analysis do not indicate any malicious activity, and therefore psad does not report any scans (or other things). Also, do you have psad configured to import scan data from one execution to the next? If so, then the data in the /var/log/psad/192.168.1.125/ directory might be from a previous execution and imported by the currently running instance. Either way, a lot of work has been done on the tracking code after 1.4.8, so I would recommend trying a newer release (provided by Franck for Debian systems). Thanks, --Mike > Debian Lenny machine: > Linux debianlenny 2.6.26-2-686 #1 SMP Sat Dec 26 09:01:51 UTC 2009 i686 > GNU/Linux > [+] psad v2.1.3 (file revision: 2181) > > I've installed psad using apt-get using the latest stable builds. > > I'm hoping someone can give me some pointers on where I could look for > this. > > _ > Hotmail: betrouwbare e-mail met krachtige spambescherming. > https://signup.live.com/signup.aspx?id=60969 > -- > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Debian Etch no scan detected
On Mar 27, 2010, Franck Joncourt wrote: > [...] > > That is quite an old release :) I will try to backport 2.1.5 to both Etch > > and > > Lenny by the end of the week end so that you will be able to work with the > > same > > release. > > Please find the backports at the following url: > > http://people.debian.org/~franck/backports/ > > bpo40 packages are for Etch > bpo50 packages are for Lenny Thanks Franck. --Mike > I have not checked the installation, so if you have any problem let me know. > > Regards, > > -- > Franck Joncourt > -- > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Debian Etch no scan detected
On Sat, Mar 27, 2010 at 08:15:08PM +0100, Franck Joncourt wrote: > [...] > > That is quite an old release :) I will try to backport 2.1.5 to both Etch > > and > > Lenny by the end of the week end so that you will be able to work with the > > same > > release. > > Please find the backports at the following url: > > http://people.debian.org/~franck/backports/ > > bpo40 packages are for Etch > bpo50 packages are for Lenny Forgot to mention, you may also want to add: deb http://www.dthconnex.com/debian etch-backports main to your sources.list Regards, -- Franck Joncourt signature.asc Description: Digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Debian Etch no scan detected
[...] > That is quite an old release :) I will try to backport 2.1.5 to both Etch and > Lenny by the end of the week end so that you will be able to work with the > same > release. Please find the backports at the following url: http://people.debian.org/~franck/backports/ bpo40 packages are for Etch bpo50 packages are for Lenny I have not checked the installation, so if you have any problem let me know. Regards, -- Franck Joncourt signature.asc Description: Digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] Debian Etch no scan detected
On Wed, Mar 24, 2010 at 09:32:41AM +, marco arts wrote: > Hello people, Hi, > I've been tinkering with psad for a little while now and I've been > working it into a small firewall script that's going to be running on > virtual servers. These are going to be running debian etch/lenny and > will have different kernel versions and other things I had to take into > consideration. I'm running these machines on my workstation using > Virtualbox and they're using the closest kernel to those used on the > live environment. > > Now I've ran into trouble with my debian etch test environment, namely > it won't show the scans with the Status command. > I get the following output(Some info stripped): > [...] > Some extra information: > Debian Etch machine: > Linux debianetch 2.6.18-6-686 #1 SMP Tue Mar 23 11:40:03 UTC 2010 i686 > GNU/Linux > [+] psad v1.4.8, by Michael Rash That is quite an old release :) I will try to backport 2.1.5 to both Etch and Lenny by the end of the week end so that you will be able to work with the same release. > Debian Lenny machine: > Linux debianlenny 2.6.26-2-686 #1 SMP Sat Dec 26 09:01:51 UTC 2009 i686 > GNU/Linux > [+] psad v2.1.3 (file revision: 2181) > I've installed psad using apt-get using the latest stable builds. > > I'm hoping someone can give me some pointers on where I could look for > this. Regards, -- Franck Joncourt signature.asc Description: Digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
