List: psad-discuss
Subject: [psad-discuss] Debian Bug#1011293: psad: getting logs flooded with scan reports for IP6 neighbor dis
From: tmcconnell168 () gmail ! com
Date: 2022-05-19 18:19:43
Message-ID: 05b1c2015dc724b78ab0396dd9062eb742e25eeb.camel () gmail ! com
[Download RAW message or body]
Hi List,
I'm getting flooded by these false positives:
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-
=
Danger level: [3] (out of 5) Multi-Protocol
Scanned destinations: 1
Source: fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DNS: [No reverse dns info available]
Destination: ff02:0000:0000:0000:0000:0000:0000:0001
DNS: [No reverse dns info available]
Overall scan start: Thu May 19 11:37:16 2022
Total email alerts: 26491
Syslog hostname: DebianTim
Global stats:
chain: interface: protocol: packets:
INPUT enp1s0 icmp6 613
[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-
=
I have NFTables set to this:
# ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-
unreachable,
packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-
request, nd-
router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-
advert, 148,
149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143,
151, 152,
153 } accept
# count and drop any other traffic
counter drop
***********************************************************************
So how do I get these to stop? I'm getting ~37,000 emails a day about
this and would love to be able to stop them.
Thanks!
--
<tmcconnell168@gmail.com>
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic