Re: [psad-discuss] custom signature.
Thanks Michael Rash, you cleared my confusion. i was always confused about the way they work together. Thanks for designing such a wonderful product. On Tue, Nov 11, 2014 at 6:29 PM, Michael Rash wrote: > > On Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan > wrote: > >> Thanks for sharing, but just confirming as i am not native english >> speaker. >> correct me if i am wrong. what i am getting from your email is that, >> fwsnort daemon work individually and inspect all the traffic coming through >> the interface. ones its finds any packet matching in snore rule, it trigger >> and logs a code in iptables log so that PSAD can understand it. then >> further PSAD daemon find that log and perform its actions according to >> psad.conf. >> >> am i correct with the understanding? >> > > Yes, that is correct. > > --Mike > > > > >> >> Thanks, >> >> >> On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash >> wrote: >> >>> >>> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan >>> wrote: >>> Thanks for sharing Micheal it is very informative i will start working on this on monday. but i also have another question for my learning that iptables logs are very limited. and what PSAD does is just read the iptable logs and make the decisions set in conf file and signature file. i had experience working in fwsnort and fwsnort is run in conjunction with psad. and give psad the ability to read packets in more details. like it can find and trigger rules with mimetype and other deep level inspection. so my question is where psad read all the information of the packet because Firewall log is very limited it does not contain mime types or other deep packet information. as far as i know. because the firewall log i see in /var/log/messages does not contain any deep level information. >>> >>> If you are also running fwsnort, then the linkage between an fwsnort >>> rule match and psad is the Snort ID value. When fwsnort triggers on >>> application layer data (which of course is not natively included in any >>> iptables log message), then the iptables log prefix will include the SID in >>> a string like "SID12345" in the log message. psad is always looking for >>> these strings, and once it sees one, then it knows that fwsnort made a >>> match against application layer data. >>> >>> Thanks, >>> >>> --Mike >>> >>> Thanks, On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash wrote: > > On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan > wrote: > >> HI, >> >> Can anyone please explain that how can i make custom rule. >> i can see rules in /etc/psad/signatures however i can not understand >> the format. >> can anyone throw some light on this. >> >> for example if i want to trigger an alarm and block IP if traffic >> found on 5060 TCP or UDP both. >> >> and >> >> for example if i want to block traffic on TCP flag bases. >> > > Sure, given the scenario you've described above, here is a candidate > signature: > > alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 > traffic"; flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) > > Note that some of the keywords like 'psad_derived_sids' etc. are > optional - the above rule should assign danger level 5 (the highest) to > any > external IP that sends a SYN packet to TCP port 5060 (and when this packet > is logged by iptables of course). This will result in a dedicated alert > from psad. If you also want psad to block the source IP, then you would > need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf > file. > > Another way to look at this is that if you already know that you want > to block and IP that tries to communicate with port 5060, then you could > instantiate a default blocking rule in your iptables policy for such > traffic. Or, if you want to block IP's that try TCP flags that don't match > the normal sequence of flags as defined by TCP itself and tracked by the > iptables connection tracking code, then your policy could accept traffic > via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those > that > are outside these criteria. In this case, psad can apply persistent > blocking rules to IP's that fall into this category. For example, you > could > change the "flags: S;" in the rule above to "flags: F;" if you want to > block IP's that issue a FIN scan. > > Thanks, > > --Mike > > > >> >> >> any help will be highly appreciated. >> >> >> Thanks, >> MYK >> >> >> -- >> >> ___ >> psad-discuss mailing list >> psad-discuss@lists.sourceforge.n
Re: [psad-discuss] custom signature.
On Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan wrote: > Thanks for sharing, but just confirming as i am not native english > speaker. > correct me if i am wrong. what i am getting from your email is that, > fwsnort daemon work individually and inspect all the traffic coming through > the interface. ones its finds any packet matching in snore rule, it trigger > and logs a code in iptables log so that PSAD can understand it. then > further PSAD daemon find that log and perform its actions according to > psad.conf. > > am i correct with the understanding? > Yes, that is correct. --Mike > > Thanks, > > > On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash > wrote: > >> >> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan >> wrote: >> >>> Thanks for sharing Micheal it is very informative i will start working >>> on this on monday. >>> but i also have another question for my learning that iptables logs are >>> very limited. and what PSAD does is just read the iptable logs and make the >>> decisions set in conf file and signature file. >>> i had experience working in fwsnort and fwsnort is run in conjunction >>> with psad. and give psad the ability to read packets in more details. like >>> it can find and trigger rules with mimetype and other deep level >>> inspection. so my question is where psad read all the information of the >>> packet because Firewall log is very limited it does not contain mime types >>> or other deep packet information. as far as i know. because the firewall >>> log i see in /var/log/messages does not contain any deep level information. >>> >> >> If you are also running fwsnort, then the linkage between an fwsnort rule >> match and psad is the Snort ID value. When fwsnort triggers on application >> layer data (which of course is not natively included in any iptables log >> message), then the iptables log prefix will include the SID in a string >> like "SID12345" in the log message. psad is always looking for these >> strings, and once it sees one, then it knows that fwsnort made a match >> against application layer data. >> >> Thanks, >> >> --Mike >> >> >>> >>> >>> >>> Thanks, >>> >>> >>> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash >>> wrote: >>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan wrote: > HI, > > Can anyone please explain that how can i make custom rule. > i can see rules in /etc/psad/signatures however i can not understand > the format. > can anyone throw some light on this. > > for example if i want to trigger an alarm and block IP if traffic > found on 5060 TCP or UDP both. > > and > > for example if i want to block traffic on TCP flag bases. > Sure, given the scenario you've described above, here is a candidate signature: alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic"; flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) Note that some of the keywords like 'psad_derived_sids' etc. are optional - the above rule should assign danger level 5 (the highest) to any external IP that sends a SYN packet to TCP port 5060 (and when this packet is logged by iptables of course). This will result in a dedicated alert from psad. If you also want psad to block the source IP, then you would need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file. Another way to look at this is that if you already know that you want to block and IP that tries to communicate with port 5060, then you could instantiate a default blocking rule in your iptables policy for such traffic. Or, if you want to block IP's that try TCP flags that don't match the normal sequence of flags as defined by TCP itself and tracked by the iptables connection tracking code, then your policy could accept traffic via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that are outside these criteria. In this case, psad can apply persistent blocking rules to IP's that fall into this category. For example, you could change the "flags: S;" in the rule above to "flags: F;" if you want to block IP's that issue a FIN scan. Thanks, --Mike > > > any help will be highly appreciated. > > > Thanks, > MYK > > > -- > > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > > -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss >>>
Re: [psad-discuss] custom signature.
Thanks for sharing, but just confirming as i am not native english speaker. correct me if i am wrong. what i am getting from your email is that, fwsnort daemon work individually and inspect all the traffic coming through the interface. ones its finds any packet matching in snore rule, it trigger and logs a code in iptables log so that PSAD can understand it. then further PSAD daemon find that log and perform its actions according to psad.conf. am i correct with the understanding? Thanks, On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash wrote: > > On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan > wrote: > >> Thanks for sharing Micheal it is very informative i will start working on >> this on monday. >> but i also have another question for my learning that iptables logs are >> very limited. and what PSAD does is just read the iptable logs and make the >> decisions set in conf file and signature file. >> i had experience working in fwsnort and fwsnort is run in conjunction >> with psad. and give psad the ability to read packets in more details. like >> it can find and trigger rules with mimetype and other deep level >> inspection. so my question is where psad read all the information of the >> packet because Firewall log is very limited it does not contain mime types >> or other deep packet information. as far as i know. because the firewall >> log i see in /var/log/messages does not contain any deep level information. >> > > If you are also running fwsnort, then the linkage between an fwsnort rule > match and psad is the Snort ID value. When fwsnort triggers on application > layer data (which of course is not natively included in any iptables log > message), then the iptables log prefix will include the SID in a string > like "SID12345" in the log message. psad is always looking for these > strings, and once it sees one, then it knows that fwsnort made a match > against application layer data. > > Thanks, > > --Mike > > >> >> >> >> Thanks, >> >> >> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash >> wrote: >> >>> >>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan >>> wrote: >>> HI, Can anyone please explain that how can i make custom rule. i can see rules in /etc/psad/signatures however i can not understand the format. can anyone throw some light on this. for example if i want to trigger an alarm and block IP if traffic found on 5060 TCP or UDP both. and for example if i want to block traffic on TCP flag bases. >>> >>> Sure, given the scenario you've described above, here is a candidate >>> signature: >>> >>> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic"; >>> flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) >>> >>> Note that some of the keywords like 'psad_derived_sids' etc. are >>> optional - the above rule should assign danger level 5 (the highest) to any >>> external IP that sends a SYN packet to TCP port 5060 (and when this packet >>> is logged by iptables of course). This will result in a dedicated alert >>> from psad. If you also want psad to block the source IP, then you would >>> need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf >>> file. >>> >>> Another way to look at this is that if you already know that you want to >>> block and IP that tries to communicate with port 5060, then you could >>> instantiate a default blocking rule in your iptables policy for such >>> traffic. Or, if you want to block IP's that try TCP flags that don't match >>> the normal sequence of flags as defined by TCP itself and tracked by the >>> iptables connection tracking code, then your policy could accept traffic >>> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that >>> are outside these criteria. In this case, psad can apply persistent >>> blocking rules to IP's that fall into this category. For example, you could >>> change the "flags: S;" in the rule above to "flags: F;" if you want to >>> block IP's that issue a FIN scan. >>> >>> Thanks, >>> >>> --Mike >>> >>> >>> any help will be highly appreciated. Thanks, MYK -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss >>> >>> >>> -- >>> >>> ___ >>> psad-discuss mailing list >>> psad-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/psad-discuss >>> >>> >> > > > -- > Michael Rash | Founder > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > > -- > > __
Re: [psad-discuss] custom signature.
On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan wrote: > Thanks for sharing Micheal it is very informative i will start working on > this on monday. > but i also have another question for my learning that iptables logs are > very limited. and what PSAD does is just read the iptable logs and make the > decisions set in conf file and signature file. > i had experience working in fwsnort and fwsnort is run in conjunction with > psad. and give psad the ability to read packets in more details. like it > can find and trigger rules with mimetype and other deep level inspection. > so my question is where psad read all the information of the packet because > Firewall log is very limited it does not contain mime types or other deep > packet information. as far as i know. because the firewall log i see in > /var/log/messages does not contain any deep level information. > If you are also running fwsnort, then the linkage between an fwsnort rule match and psad is the Snort ID value. When fwsnort triggers on application layer data (which of course is not natively included in any iptables log message), then the iptables log prefix will include the SID in a string like "SID12345" in the log message. psad is always looking for these strings, and once it sees one, then it knows that fwsnort made a match against application layer data. Thanks, --Mike > > > > Thanks, > > > On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash > wrote: > >> >> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan >> wrote: >> >>> HI, >>> >>> Can anyone please explain that how can i make custom rule. >>> i can see rules in /etc/psad/signatures however i can not understand the >>> format. >>> can anyone throw some light on this. >>> >>> for example if i want to trigger an alarm and block IP if traffic found >>> on 5060 TCP or UDP both. >>> >>> and >>> >>> for example if i want to block traffic on TCP flag bases. >>> >> >> Sure, given the scenario you've described above, here is a candidate >> signature: >> >> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic"; >> flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) >> >> Note that some of the keywords like 'psad_derived_sids' etc. are optional >> - the above rule should assign danger level 5 (the highest) to any external >> IP that sends a SYN packet to TCP port 5060 (and when this packet is logged >> by iptables of course). This will result in a dedicated alert from psad. If >> you also want psad to block the source IP, then you would need to set the >> ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file. >> >> Another way to look at this is that if you already know that you want to >> block and IP that tries to communicate with port 5060, then you could >> instantiate a default blocking rule in your iptables policy for such >> traffic. Or, if you want to block IP's that try TCP flags that don't match >> the normal sequence of flags as defined by TCP itself and tracked by the >> iptables connection tracking code, then your policy could accept traffic >> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that >> are outside these criteria. In this case, psad can apply persistent >> blocking rules to IP's that fall into this category. For example, you could >> change the "flags: S;" in the rule above to "flags: F;" if you want to >> block IP's that issue a FIN scan. >> >> Thanks, >> >> --Mike >> >> >> >>> >>> >>> any help will be highly appreciated. >>> >>> >>> Thanks, >>> MYK >>> >>> >>> -- >>> >>> ___ >>> psad-discuss mailing list >>> psad-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/psad-discuss >>> >>> >> >> >> -- >> >> ___ >> psad-discuss mailing list >> psad-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/psad-discuss >> >> > -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] custom signature.
Thanks for sharing Micheal it is very informative i will start working on this on monday. but i also have another question for my learning that iptables logs are very limited. and what PSAD does is just read the iptable logs and make the decisions set in conf file and signature file. i had experience working in fwsnort and fwsnort is run in conjunction with psad. and give psad the ability to read packets in more details. like it can find and trigger rules with mimetype and other deep level inspection. so my question is where psad read all the information of the packet because Firewall log is very limited it does not contain mime types or other deep packet information. as far as i know. because the firewall log i see in /var/log/messages does not contain any deep level information. Thanks, On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash wrote: > > On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan > wrote: > >> HI, >> >> Can anyone please explain that how can i make custom rule. >> i can see rules in /etc/psad/signatures however i can not understand the >> format. >> can anyone throw some light on this. >> >> for example if i want to trigger an alarm and block IP if traffic found >> on 5060 TCP or UDP both. >> >> and >> >> for example if i want to block traffic on TCP flag bases. >> > > Sure, given the scenario you've described above, here is a candidate > signature: > > alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic"; > flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) > > Note that some of the keywords like 'psad_derived_sids' etc. are optional > - the above rule should assign danger level 5 (the highest) to any external > IP that sends a SYN packet to TCP port 5060 (and when this packet is logged > by iptables of course). This will result in a dedicated alert from psad. If > you also want psad to block the source IP, then you would need to set the > ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file. > > Another way to look at this is that if you already know that you want to > block and IP that tries to communicate with port 5060, then you could > instantiate a default blocking rule in your iptables policy for such > traffic. Or, if you want to block IP's that try TCP flags that don't match > the normal sequence of flags as defined by TCP itself and tracked by the > iptables connection tracking code, then your policy could accept traffic > via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that > are outside these criteria. In this case, psad can apply persistent > blocking rules to IP's that fall into this category. For example, you could > change the "flags: S;" in the rule above to "flags: F;" if you want to > block IP's that issue a FIN scan. > > Thanks, > > --Mike > > > >> >> >> any help will be highly appreciated. >> >> >> Thanks, >> MYK >> >> >> -- >> >> ___ >> psad-discuss mailing list >> psad-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/psad-discuss >> >> > > > -- > > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > > -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] custom signature.
On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan wrote: > HI, > > Can anyone please explain that how can i make custom rule. > i can see rules in /etc/psad/signatures however i can not understand the > format. > can anyone throw some light on this. > > for example if i want to trigger an alarm and block IP if traffic found on > 5060 TCP or UDP both. > > and > > for example if i want to block traffic on TCP flag bases. > Sure, given the scenario you've described above, here is a candidate signature: alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060 traffic"; flags:S; classtype:misc-activity; psad_id:21; psad_dl:5;) Note that some of the keywords like 'psad_derived_sids' etc. are optional - the above rule should assign danger level 5 (the highest) to any external IP that sends a SYN packet to TCP port 5060 (and when this packet is logged by iptables of course). This will result in a dedicated alert from psad. If you also want psad to block the source IP, then you would need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf file. Another way to look at this is that if you already know that you want to block and IP that tries to communicate with port 5060, then you could instantiate a default blocking rule in your iptables policy for such traffic. Or, if you want to block IP's that try TCP flags that don't match the normal sequence of flags as defined by TCP itself and tracked by the iptables connection tracking code, then your policy could accept traffic via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that are outside these criteria. In this case, psad can apply persistent blocking rules to IP's that fall into this category. For example, you could change the "flags: S;" in the rule above to "flags: F;" if you want to block IP's that issue a FIN scan. Thanks, --Mike > > > any help will be highly appreciated. > > > Thanks, > MYK > > > -- > > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss > > -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss