[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] Psad with Shorewall (working but not blocking)
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2013-10-27 0:35:47
Message-ID: 20131027003547.GA22097 () cipherdyne ! org
[Download RAW message or body]

On Oct 25, 2013, Muhammad Yousuf Khan wrote:

> I am using Shorewall and Psad on debian squeeze every thing is working
> perfectly and as per the expectations but i can not make Psad to block the
> IP.
> 
> I am scanning firewall with from another linux host with NMP
> 
> /var/log/messages (i will share in the end) shows that pscd is detecting
> the packet but it is not putting the IP to block
> 
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC HP Web
> JetAdmin communication attempt" (sid: 100084) tcp port: 8000
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "DOS arkiea
> backup communication attempt" (sid: 282) tcp port: 617
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC
> Microsoft PPTP communication attempt" (sid: 100082) tcp port: 1723
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC MS
> Terminal Server communication attempt" (sid: 100077) tcp port: 3389
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "MISC VNC
> communication attempt" (sid: 100202) tcp port: 5900
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "POLICY
> vncviewer Java applet communication attempt" (sid: 1846) tcp port: 5801
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "BACKDOOR
> Infector.1.x Connection attempt" (sid: 100040) tcp port: 146
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "P2P napster
> communication attempt" (sid: 100090) tcp port: 8888
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "BACKDOOR
> GateCrasher Connection attempt" (sid: 147) tcp port: 6969
> Oct 25 13:02:29 firewall psad: src: 10.x.x.17 signature match: "P2P Napster
> Client Data communication attempt" (sid: 564) tcp port: 5555
> Oct 25 13:02:29 firewall psad: scan detected: 10.x.x.17 -> 10.x.x.22 tcp:
> [3-65389] flags: SYN tcp pkts: 570 DL: 3
> 
> 
> 
> i tried several times and i see the log every time however Psad is not
> proactively blocking the IP.

Ok, in order to have psad block the IP 10.x.x.17 above, you would to
have the following variables set like this in the /etc/psad/psad.conf
file:

ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       2;  ### this could be 3 instead if you like
ENABLE_AUTO_IDS_REGEX       N;
IPTABLES_BLOCK_METHOD       Y;

Can you confirm this?

Thanks,

--Mike


> Any idea plz help.
> 
> Thanks,
> 
> Myk

> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
[prev in list] [next in list] [prev in thread] [next in thread]