Re: [psad-discuss] alert email lack of msg: field
On Oct 15, 2012, Pui Edylie wrote: > Dear Members, > > I have started using psad with fwsnort and it is awesome! > > I have received alerts but they are not clear to me as it did not > include the msg: field for the description > > Right now I have to manually open up fwsnort.save to search for > SID2013222 to figure out what it is. > > Is there anyway we could include the info? psad-2.2.1 is close to being released, and it includes a fix for this problem by reading Snort rules from any installed fwsnort instance. If you want to try a snapshot of the latest code that include this fix, here is a link: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=psad.git;a=snapshot;h=bd89cfbad0cdc4540f1b983811e40803b8fa29b9;sf=tgz Thanks, --Mike > Thank you! > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > Danger level: [1] (out of 5) > > Scanned TCP ports: [55016: 3 packets] > TCP flags: [ACK: 3 packets] >iptables chain: FWSNORT_FORWARD_ESTAB (*prefix "[929] SID2013222 > ESTAB"*), 3 packets > fwsnort rule: 929 > >Source: x > DNS: xx > > Destination: x > DNS: [No reverse dns info available] > >Overall scan start: Mon Oct 15 20:16:16 2012 >Total email alerts: 7 >Complete TCP range: [24722-55016] > Syslog hostname: bgp2 > > Global stats: chain: interface: TCP: UDP: ICMP: >FORWARD bond24 0 0 > > [+] Whois Information (source IP): > Unknown AS number or IP network. Please upgrade this program. > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > -- > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] alert email lack of msg: field
Hi Mike, Thank you for the reply. :) I am wondering if the emerging threat pro rules would be much better in term of caching DDOS and such. I am wondering if anyone know a list of updated IP Reputation list which we can parse into fwsnort so it would be dropped by default. From what I know webroot maintains such list but it is not open source. Regards, Edy On 10/17/2012 11:17 AM, Michael Rash wrote: > On Oct 15, 2012, Pui Edylie wrote: > >> Dear Members, > Hello, > >> I have started using psad with fwsnort and it is awesome! >> >> I have received alerts but they are not clear to me as it did not >> include the msg: field for the description >> >> Right now I have to manually open up fwsnort.save to search for >> SID2013222 to figure out what it is. >> >> Is there anyway we could include the info? > By default, psad parses Snort rules for the msg: field out of the > /etc/psad/snort_rules/ directory. I suspect that the signature > SID2013222 is not contained within this directory - e.g. there is a > difference between the signatures running under fwsnort vs. those that > psad knows about. I should probably update psad to also parse > signatures out of /etc/fwsnort/snort_rules/, but in the meantime you > could add the signature to a file in the /etc/psad/snort_rules/ > directory. > > Thanks, > > --Mike > > >> Thank you! >> >> =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= >> >> >> Danger level: [1] (out of 5) >> >> Scanned TCP ports: [55016: 3 packets] >> TCP flags: [ACK: 3 packets] >> iptables chain: FWSNORT_FORWARD_ESTAB (*prefix "[929] SID2013222 >> ESTAB"*), 3 packets >> fwsnort rule: 929 >> >> Source: x >>DNS: xx >> >>Destination: x >>DNS: [No reverse dns info available] >> >> Overall scan start: Mon Oct 15 20:16:16 2012 >> Total email alerts: 7 >> Complete TCP range: [24722-55016] >>Syslog hostname: bgp2 >> >> Global stats: chain: interface: TCP: UDP: ICMP: >> FORWARD bond24 0 0 >> >> [+] Whois Information (source IP): >> Unknown AS number or IP network. Please upgrade this program. >> >> =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= >> >> >> -- >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> ___ >> psad-discuss mailing list >> psad-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/psad-discuss > > -- > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] alert email lack of msg: field
On Oct 15, 2012, Pui Edylie wrote: > Dear Members, Hello, > I have started using psad with fwsnort and it is awesome! > > I have received alerts but they are not clear to me as it did not > include the msg: field for the description > > Right now I have to manually open up fwsnort.save to search for > SID2013222 to figure out what it is. > > Is there anyway we could include the info? By default, psad parses Snort rules for the msg: field out of the /etc/psad/snort_rules/ directory. I suspect that the signature SID2013222 is not contained within this directory - e.g. there is a difference between the signatures running under fwsnort vs. those that psad knows about. I should probably update psad to also parse signatures out of /etc/fwsnort/snort_rules/, but in the meantime you could add the signature to a file in the /etc/psad/snort_rules/ directory. Thanks, --Mike > Thank you! > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > Danger level: [1] (out of 5) > > Scanned TCP ports: [55016: 3 packets] > TCP flags: [ACK: 3 packets] >iptables chain: FWSNORT_FORWARD_ESTAB (*prefix "[929] SID2013222 > ESTAB"*), 3 packets > fwsnort rule: 929 > >Source: x > DNS: xx > > Destination: x > DNS: [No reverse dns info available] > >Overall scan start: Mon Oct 15 20:16:16 2012 >Total email alerts: 7 >Complete TCP range: [24722-55016] > Syslog hostname: bgp2 > > Global stats: chain: interface: TCP: UDP: ICMP: >FORWARD bond24 0 0 > > [+] Whois Information (source IP): > Unknown AS number or IP network. Please upgrade this program. > > =-=-=-=-=-=-=-=-=-=-=-= Mon Oct 15 20:16:52 2012 =-=-=-=-=-=-=-=-=-=-=-= > > > -- > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss