[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] email false alarm.
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2013-11-08 1:57:56
Message-ID: 20131108015756.GA18194 () cipherdyne ! org
[Download RAW message or body]

On Nov 07, 2013, Muhammad Yousuf Khan wrote:

> i put the ip address in auto_dl and set the danger level to zero like this.
> 
> 192.168.x.1    0;
> 10.x.x.240   0;
> 
> please correct me if i am wrong with the understanding that, the setting
> above, does above settings mean that any detected  packet shell not be
> considered as attack. thus an email notification and log message will not
> be generated?

Yes, that is correct.  Assigning a danger level of zero to an IP or
network will result in no alarms for that IP or network.

> i have two question.
> 
> 1. how should i stop detection of false alarm of legitimate hosts.

Depends on what you really want to do.  If a legitimate host is scanning
you, do you want an alarm?  If a legitimate host triggers an fwsnort
signature do you want an alarm?  If the answer to both of these
questions is no, then you can either configure iptables itself to not
log traffic like this from the host, or you can use the auto_dl file as
you have above.

> 2. is there any option to restrict  false alarm per host per signature
> basis

>     e.g i do not want only 1 specific signature to be triggered against
> only 1 specific host.  i do not want to change the danger level of
> signature nor host individually.
> 

The auto_dl feature could be extended to apply exclusion logic to
individual signatures for specified IP's/networks, but this isn't
currently supported.  I'll take a look at adding this for the next
release.

> here is my psad notification email that i am receiving (lots of emails)
> 
>          Danger level: [4] (out of 5)
> 
>          icmp packets: [4]
>        iptables chain: FWSNORT_INPUT (prefix "[6069] SID401"), 4 packets
>          fwsnort rule: 6069
>                Source: 192.168.x.1
>                   DNS: [No reverse dns info available]
> 
>           Destination: 192.168.x.21
>                   DNS: [No reverse dns info available]
> 
>    Overall scan start: Tue Nov  5 12:44:48 2013
>    Total email alerts: 691
>       Syslog hostname: firewall
> 
>          Global stats:
>                        chain:   interface:  protocol:  packets:
>                        INPUT    eth1        icmp       3574
> 
> 
> 
> 
> my alertemail settings are like this in psad.conf file
> MIN_DANGER_LEVEL            1;
> EMAIL_ALERT_DANGER_LEVEL    3;
> 
> however i am still getting DL2 type alerts. is there anything more i could
> do to only log alerts from level 1 to 2 and for above levels i need alert
> in log  and email.

If I understand correctly, then this isn't currently supported either
but something I may add in the next release.

Thanks,

--Mike



> Thanks,
> 
> Myk

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
[prev in list] [next in list] [prev in thread] [next in thread]