Package: psad
Version: 2.4.6-2
Severity: important
Tags: ipv6
X-Debbugs-Cc: tmcconnell...@gmail.com

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

What led up to the situation? Not sure, I installed psad and Snort rules etc.

What exactly did you do (or not do) that was effective (or
     ineffective)? No Idea

What was the outcome of this action? getting flooded with this notification:
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [3] (out of 5) Multi-Protocol

 Scanned destinations: 1

               Source: fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
                  DNS: [No reverse dns info available]

          Destination: ff02:0000:0000:0000:0000:0000:0000:0001
                  DNS: [No reverse dns info available]

   Overall scan start: Thu May 19 11:37:16 2022
   Total email alerts: 26491
      Syslog hostname: DebianTim

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    enp1s0      icmp6      613

[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.

=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
I have NFTables set to this:
# ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
                meta nfproto ipv6 icmpv6 type { destination-unreachable,
packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-
router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148,
149 } accept
                ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152,
153 } accept

                # count and drop any other traffic
                counter drop
What outcome did you expect instead?
Not to have 36,878 messages that I have been scanned for IP6 neighbor
protocols.
How do I configure PSAD to ignore these and quit getting false positives?
*** End of the template - remove these template lines ***


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages psad depends on:
ii  bsd-mailx [mailx]                          8.1.2-0.20220412cvs-1
ii  exim4-daemon-light [mail-transport-agent]  4.95-5
ii  init-system-helpers                        1.62
ii  iproute2                                   5.17.0-2
ii  iptables                                   1.8.7-1
ii  libc6                                      2.33-7
ii  libcarp-clan-perl                          6.08-1
ii  libdate-calc-perl                          6.4-1.1
ii  libiptables-chainmgr-perl                  1.6-2
ii  libiptables-parse-perl                     1.6-2
ii  libnet-ip-perl                             1.26-2
ii  libunix-syslog-perl                        1.1-3+b4
ii  lsb-base                                   11.1.0
ii  mailutils [mailx]                          1:3.15-2
ii  net-tools                                  1.60+git20181103.0eebece-1
ii  perl                                       5.34.0-4
ii  psmisc                                     23.5-1
ii  rsyslog [system-log-daemon]                8.2204.1-1
ii  whois                                      5.5.13

psad recommends no packages.

Versions of packages psad suggests:
ii  fwsnort  1.6.8-1

-- Configuration Files:
/etc/psad/psad.conf changed:
EMAIL_ADDRESSES             root@localhost;
HOSTNAME                    _DebianTim_;
HOME_NET                   DebianTim;
EXTERNAL_NET                any;
FW_SEARCH_ALL               Y;
FW_MSG_SEARCH               DROP;
IFCFGTYPE                   ifconfig;
DANGER_LEVEL1               5;    ### Number of packets.
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;
DL1_UNIQUE_HOSTS            10;
DL2_UNIQUE_HOSTS            20;
DL3_UNIQUE_HOSTS            50;
DL4_UNIQUE_HOSTS            100;
DL5_UNIQUE_HOSTS            500;
CHECK_INTERVAL              5;
SNORT_SID_STR               SID;
PORT_RANGE_SCAN_THRESHOLD   1;
PORT_RANGE_SWEEP_THRESHOLD  0; ### a single port by default, see the 
DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD     5;
ENABLE_PERSISTENCE          Y;
SCAN_TIMEOUT                3600;  ### seconds
PERSISTENCE_CTR_THRESHOLD   5;
MAX_SCAN_IP_PAIRS           0;
SHOW_ALL_SIGNATURES         Y;
ALERTING_METHODS            ALL;
AUTO_DETECT_JOURNALCTL      Y;
ENABLE_SYSLOG_FILE          Y;
IPT_WRITE_FWDATA            Y;
IPT_SYSLOG_FILE             /var/log/messages;
SYSLOG_DAEMON               syslogd;
ENABLE_FW_MSG_READ_CMD      N;
FW_MSG_READ_CMD             /bin/journalctl;
FW_MSG_READ_CMD_ARGS        -f -k;
USE_FW_MSG_READ_CMD_ARGS    Y;
FW_MSG_READ_MIN_PKTS        30;
ENABLE_SIG_MSG_SYSLOG       Y;
SIG_MSG_SYSLOG_THRESHOLD    10;
SIG_SID_SYSLOG_THRESHOLD    10;
ENABLE_PSADWATCHD           N;
EXPECT_TCP_OPTIONS          Y;
MAX_HOPS                    20;
IGNORE_KERNEL_TIMESTAMP     Y;
IGNORE_CONNTRACK_BUG_PKTS   Y;
IGNORE_PORTS                NONE;
IGNORE_PROTOCOLS            NONE;
IGNORE_INTERFACES           NONE;
IGNORE_LOG_PREFIXES         NONE;
MIN_DANGER_LEVEL            1;
EMAIL_ALERT_DANGER_LEVEL    1;
ENABLE_IPV6_DETECTION       Y;
ENABLE_INTF_LOCAL_NETS      Y;
ENABLE_MAC_ADDR_REPORTING   N;
ENABLE_FW_LOGGING_CHECK     Y;
EMAIL_LIMIT                 0;
ENABLE_EMAIL_LIMIT_PER_DST  N;
EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_THROTTLE              0;
EMAIL_APPEND_HEADER         NONE;
ALERT_ALL                   Y;
IMPORT_OLD_SCANS            N;
SYSLOG_IDENTITY             psad;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;
TOP_PORTS_LOG_THRESHOLD     500;
STATUS_PORTS_THRESHOLD      20;
TOP_SIGS_LOG_THRESHOLD      500;
STATUS_SIGS_THRESHOLD       50;
TOP_IP_LOG_THRESHOLD        500;
STATUS_IP_THRESHOLD         25;
TOP_SCANS_CTR_THRESHOLD     1;
ENABLE_OVERRIDE_FW_CMD      N;
FW_CMD                      NONE;
FW_CMD_ARGS                 NONE;
ENABLE_DSHIELD_ALERTS       N;
DSHIELD_ALERT_EMAIL         repo...@dshield.org;
DSHIELD_ALERT_INTERVAL      6;  ### hours
DSHIELD_USER_ID             0;
DSHIELD_USER_EMAIL          NONE;
DSHIELD_DL_THRESHOLD        0;
HTTP_SERVERS                $HOME_NET;
SMTP_SERVERS                $HOME_NET;
DNS_SERVERS                 $HOME_NET;
SQL_SERVERS                 $HOME_NET;
TELNET_SERVERS              $HOME_NET;
AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 
64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 
205.188.9.0/24];
HTTP_PORTS                  80;
SHELLCODE_PORTS             !80;
ORACLE_PORTS                1521;
ENABLE_SNORT_SIG_STRICT     Y;
ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       5;
AUTO_BLOCK_TIMEOUT          3600;
AUTO_BLOCK_DL1_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT      0;   ### permanent
ENABLE_AUTO_IDS_REGEX       N;
AUTO_BLOCK_REGEX            ESTAB;  ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS   N;
ENABLE_AUTO_IDS_EMAILS      Y;
IPTABLES_BLOCK_METHOD       Y;
IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 
1;
FLUSH_IPT_AT_INIT           Y;
IPTABLES_PREREQ_CHECK       1;
TCPWRAPPERS_BLOCK_METHOD    N;
ENABLE_WHOIS_LOOKUPS        Y;
WHOIS_TIMEOUT               60;  ### seconds
WHOIS_LOOKUP_THRESHOLD      20;
ENABLE_WHOIS_FORCE_ASCII    N;
ENABLE_WHOIS_FORCE_SRC_IP   N;
ENABLE_DNS_LOOKUPS          Y;
DNS_LOOKUP_THRESHOLD        20;
ENABLE_EXT_SCRIPT_EXEC      N;
EXTERNAL_SCRIPT             /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT   N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC      N;
EXTERNAL_BLOCK_SCRIPT             /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE      N;
CUSTOM_SYSLOG_TS_RE             ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL         300;  ### seconds
DISK_MAX_PERCENTAGE         95;
DISK_MAX_RM_RETRIES         10;
ENABLE_SCAN_ARCHIVE         N;
TRUNCATE_FWDATA             Y;
MIN_ARCHIVE_DANGER_LEVEL    1;
MAIL_ALERT_PREFIX           [psad-alert];
MAIL_STATUS_PREFIX          [psad-status];
MAIL_ERROR_PREFIX           [psad-error];
MAIL_FATAL_PREFIX           [psad-fatal];
SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL   5;  ### seconds
PSADWATCHD_MAX_RETRIES      10;
INSTALL_ROOT                /;
PSAD_DIR                    $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR               $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR               $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR               $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                $PSAD_DIR/errs;
CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist
FW_DATA_FILE                $PSAD_DIR/fwdata;
ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;
FW_CHECK_FILE               $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;
SIGS_FILE                   $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE              $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE            $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                   $PSAD_CONF_DIR/posf;
P0F_FILE                    $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE         /etc/hosts.deny;
ETC_SYSLOG_CONF             /etc/syslog.conf;
ETC_RSYSLOG_CONF            /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE            $PSAD_DIR/install.log;
PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE       $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;
TOP_SIGS_FILE               $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN          psad_iptout.XXXXXX;
IPT_ERROR_PATTERN           psad_ipterr.XXXXXX;
iptablesCmd      /sbin/iptables;
ip6tablesCmd     /sbin/ip6tables;
shCmd            /bin/sh;
wgetCmd          /usr/bin/wget;
gzipCmd          /bin/gzip;
mknodCmd         /bin/mknod;
psCmd            /bin/ps;
mailCmd          /bin/mail;
sendmailCmd      /usr/sbin/sendmail;
ifconfigCmd      /sbin/ifconfig;
ipCmd            /sbin/ip;
killallCmd       /usr/bin/killall;
netstatCmd       /bin/netstat;
unameCmd         /bin/uname;
whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd            /bin/df;
fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd          $INSTALL_ROOT/usr/sbin/psad;


-- no debconf information

Reply via email to