'Re: [psad-discuss] Danger level confusion'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] Danger level confusion
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2013-11-09 18:51:20
Message-ID: 20131109185120.GA5813 () cipherdyne ! org
[Download RAW message or body]

On Nov 08, 2013, Muhammad Yousuf Khan wrote:

> Hello All,
> 
> i am trying to test packet count ability of psad with danger level and
> setup danger level in "psad.conf" like this.
> 
> (i change the DL values for my testing only)
> 
> DANGER_LEVEL1               2;
> DANGER_LEVEL2               4;
> DANGER_LEVEL3               6;
> DANGER_LEVEL4               8;
> DANGER_LEVEL5               10;
> 
> AUTO_IDS_DANGER_LEVEL       3;
> 
> as per above setting if a packet count reach "6" of any signature it should
> be blocked (please correct me if i am wrong)

By default, all psad signatures assign a danger level of 2 according to
the "psad_dl" field within each signature. Here is an example (note the
psad_dl field at the end):

alert tcp $EXTERNAL_NET any -> $HOME_NET 17300 (msg:"PSAD-CUSTOM Kuang2 virus \
communication attempt"; flags:S; \
reference:url,isc.sans.org/port_details.php?port=17300; classtype:trojan-activity; \
psad_id:100206; psad_dl:2;)

So, if you want psad to take a blocking action based on a signature
match, then you either need to change the danger level in the
signatures themselves to match your AUTO_IDS_DANGER_LEVEL setting, or
just reduce this setting to 2.

> i am using "WEB-PHP Setup.php access Attack" as describe in a book.
> everything is working  on-order "packet-counter", signature detection by
> snort and psad etc.
> 
> but one thing i can not understand is a purpose of packet count and how
> psad make decision on packet count from the attack.

psad danger levels are influenced by several things - not just raw
packet counts.  That is, auto_dl settings can play a role, the range of
ports scanned influences this (see the PORT_RANGE_SCAN_THRESHOLD
variable), signatures set the danger level independently of packet
counts, etc.

> by default "WEB-PHP Setup.php access Attack" has a DL2.
> 
> from host i am trying to generate the attack packet by packet. with blow
> command
> "lynx http://10.x.x.22/Setup.php"
> 
> 
> attack is detected on firewall wil below log, which is good sign
> psad: src: 10.51.100.17 signature match: "WEB-PHP Setup.php access" (sid:
> 2281) tcp port: 80 fwsnort chain: FWSNORT_INPUT_ESTAB rule: 7363
> 
> As per my setting shared above from my psad.conf, which means when packet
> count reach to "6" block the host. however it is not happening

Per the above, I think you need to reduce your AUTO_IDS_DANGER_LEVEL
setting to match that of the signature itself (psad_dl:2).

--Mike

> here is my "psad -S" output
> 
> 
> [+] IP Status Detail:
> 
> SRC:  10.51.100.17, DL: 2, Dsts: 1, Pkts: 13, Total protocols: 1, Unique
> sigs: 1, Email alerts: 8, Local IP
> 
> 
> as you can see in the output packet has reached to count "13" but no block
> has been triggered from psad.
> 
> as what i am perceiving from my testing "DL2" rules always be DL2 no matter
> how much the packet count is, in order to make things work according to my
> need,  i have to change the danger level of specified attack/SID in
> "snort_rule_dl" file manually and this is the only option.packet count will
> not work if the default DL level of signature is below the value of
> "AUTO_IDS_DANGER_LEVEL"
> 
> is my understanding from the above testing is correct?
> 
> if above is correct then my question is how packet count really works?
> 
> 
> 
> Thanks,

> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most 
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic