Package: psad
Version: 2.4.6-2
Severity: important
Tags: ipv6
X-Debbugs-Cc: tmcconnell...@gmail.com
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
What led up to the situation? Not sure, I installed psad and Snort rules etc.
What exactly did you do (or not do) that was effective (or
ineffective)? No Idea
What was the outcome of this action? getting flooded with this notification:
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [3] (out of 5) Multi-Protocol
Scanned destinations: 1
Source: fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DNS: [No reverse dns info available]
Destination: ff02:0000:0000:0000:0000:0000:0000:0001
DNS: [No reverse dns info available]
Overall scan start: Thu May 19 11:37:16 2022
Total email alerts: 26491
Syslog hostname: DebianTim
Global stats:
chain: interface: protocol: packets:
INPUT enp1s0 icmp6 613
[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
I have NFTables set to this:
# ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-unreachable,
packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-
router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148,
149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152,
153 } accept
# count and drop any other traffic
counter drop
What outcome did you expect instead?
Not to have 36,878 messages that I have been scanned for IP6 neighbor
protocols.
How do I configure PSAD to ignore these and quit getting false positives?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages psad depends on:
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1
ii exim4-daemon-light [mail-transport-agent] 4.95-5
ii init-system-helpers 1.62
ii iproute2 5.17.0-2
ii iptables 1.8.7-1
ii libc6 2.33-7
ii libcarp-clan-perl 6.08-1
ii libdate-calc-perl 6.4-1.1
ii libiptables-chainmgr-perl 1.6-2
ii libiptables-parse-perl 1.6-2
ii libnet-ip-perl 1.26-2
ii libunix-syslog-perl 1.1-3+b4
ii lsb-base 11.1.0
ii mailutils [mailx] 1:3.15-2
ii net-tools 1.60+git20181103.0eebece-1
ii perl 5.34.0-4
ii psmisc 23.5-1
ii rsyslog [system-log-daemon] 8.2204.1-1
ii whois 5.5.13
psad recommends no packages.
Versions of packages psad suggests:
ii fwsnort 1.6.8-1
-- Configuration Files:
/etc/psad/psad.conf changed:
EMAIL_ADDRESSES root@localhost;
HOSTNAME _DebianTim_;
HOME_NET DebianTim;
EXTERNAL_NET any;
FW_SEARCH_ALL Y;
FW_MSG_SEARCH DROP;
IFCFGTYPE ifconfig;
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
CHECK_INTERVAL 5;
SNORT_SID_STR SID;
PORT_RANGE_SCAN_THRESHOLD 1;
PORT_RANGE_SWEEP_THRESHOLD 0; ### a single port by default, see the
DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD 5;
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT 3600; ### seconds
PERSISTENCE_CTR_THRESHOLD 5;
MAX_SCAN_IP_PAIRS 0;
SHOW_ALL_SIGNATURES Y;
ALERTING_METHODS ALL;
AUTO_DETECT_JOURNALCTL Y;
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
SYSLOG_DAEMON syslogd;
ENABLE_FW_MSG_READ_CMD N;
FW_MSG_READ_CMD /bin/journalctl;
FW_MSG_READ_CMD_ARGS -f -k;
USE_FW_MSG_READ_CMD_ARGS Y;
FW_MSG_READ_MIN_PKTS 30;
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
ENABLE_PSADWATCHD N;
EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
IGNORE_PROTOCOLS NONE;
IGNORE_INTERFACES NONE;
IGNORE_LOG_PREFIXES NONE;
MIN_DANGER_LEVEL 1;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_IPV6_DETECTION Y;
ENABLE_INTF_LOCAL_NETS Y;
ENABLE_MAC_ADDR_REPORTING N;
ENABLE_FW_LOGGING_CHECK Y;
EMAIL_LIMIT 0;
ENABLE_EMAIL_LIMIT_PER_DST N;
EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_THROTTLE 0;
EMAIL_APPEND_HEADER NONE;
ALERT_ALL Y;
IMPORT_OLD_SCANS N;
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
FW_CMD_ARGS NONE;
ENABLE_DSHIELD_ALERTS N;
DSHIELD_ALERT_EMAIL repo...@dshield.org;
DSHIELD_ALERT_INTERVAL 6; ### hours
DSHIELD_USER_ID 0;
DSHIELD_USER_EMAIL NONE;
DSHIELD_DL_THRESHOLD 0;
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24,
64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24,
205.188.9.0/24];
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
ENABLE_SNORT_SIG_STRICT Y;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 5;
AUTO_BLOCK_TIMEOUT 3600;
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS N;
ENABLE_AUTO_IDS_EMAILS Y;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD,
1;
FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;
TCPWRAPPERS_BLOCK_METHOD N;
ENABLE_WHOIS_LOOKUPS Y;
WHOIS_TIMEOUT 60; ### seconds
WHOIS_LOOKUP_THRESHOLD 20;
ENABLE_WHOIS_FORCE_ASCII N;
ENABLE_WHOIS_FORCE_SRC_IP N;
ENABLE_DNS_LOOKUPS Y;
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC N;
EXTERNAL_BLOCK_SCRIPT /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE N;
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL 300; ### seconds
DISK_MAX_PERCENTAGE 95;
DISK_MAX_RM_RETRIES 10;
ENABLE_SCAN_ARCHIVE N;
TRUNCATE_FWDATA Y;
MIN_ARCHIVE_DANGER_LEVEL 1;
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
INSTALL_ROOT /;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX;
IPT_ERROR_PATTERN psad_ipterr.XXXXXX;
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;
-- no debconf information
