On Nov 09, 2009, Sim?n wrote: > Hi,
Hello, > I am using PSAD Version: 2.1.5 (file revision: 2253). > I have writen, in my auto_dl file, the next rule: > > 91.121.0.0/16 1 udp/137-138; > > Nevertheless I am still receiving emails with the following > information: > ------------------------------------------------------------------------------------------------ > Danger level: [3] (out of 5) > > Scanned UDP ports: [138: 7 packets, Nmap: -sU] > iptables chain: INPUT (prefix "Inbound"), 7 packets > > Source: 91.121.220.64 > DNS: ns305492.ovh.net > > Destination: xx.xxx.xxx.xxx > DNS: xxxxxxxxxxxxxxxx > > Overall scan start: Mon Nov 9 11:49:54 2009 > Total email alerts: 3 > Complete UDP range: [137-138] > ------------------------------------------------------------------------------------------------ > > In this post you can see that the danger level is still 3. > This exception works if I write it in this manner: > > 91.121.0.0/16 0 udp/137-138; > > IMHO, this is a bug, no? psad uses the automatic danger level assignments as follows: - For any non-zero auto danger level, if the current matching scan exceeds this level then the scan is promoted to the higher level. - For all zero auto danger levels, any matching scan is ignored. So, the above makes sense since the auto danger level is 1 but the scan persisted and exceeded this value. This is mostly useful if you want to make sure that certain scan activity is promoted quickly (for auto-blocking rules for example). Thanks, -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
