i hope that you guys are not minding my very newbie questions. actually i
am very new to IPS and still learning so please bear with me.
i want to share my finding and i think i narrow down the issue but i still
could not understand why there are two different behaviors of packet count.
because packet count just worked after port scanning attack detection
however it was not working with my previous illustrated attack (SID 2881)
as mentioned in my email.
Just FYI i have tweaked my packet level count like this.
DANGER_LEVEL1 2;
DANGER_LEVEL2 4;
DANGER_LEVEL3 15;
DANGER_LEVEL4 20;
DANGER_LEVEL5 25;
AUTO_IDS_DANGER_LEVEL 3;
when i run ""lynx http://10.x.x.22/Setup.php"; command from host 20 times,
it generates 1 packet per command when it reach
packet count of 20. like example given below, the DL shows constantly 2.
[+] IP Status Detail:
SRC: 10.x.x.17, DL: 2, Dsts: 1, Pkts: 22, Total protocols: 1, Unique sigs:
1, Email alerts: 8, Local IP
however, when i scan the firewall/IPS(10.x.x.22) from a openBSD utility
from WebGUI, it generate 6 packets and trigger multiple snort rules as
illustrated below.
SRC: 10.x.x.25, DL: 3, Dsts: 1, Pkts: 18, Total protocols: 1, Unique sigs:
5, Email alerts: 3, Local IP
DST: 10.x.x.22, Local IP
Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
Signature match: "GPL ICMP_INFO PING BSDtype"
ICMP, Chain: INPUT, Count: 1, Sid: 2100368
Signature match: "ICMP PING"
ICMP, Chain: INPUT, Count: 2, Sid: 384
Signature match: "GPL ICMP_INFO PING *NIX"
ICMP, Chain: INPUT, Count: 1, Sid: 2100366
Signature match: "ICMP PING *NIX"
ICMP, Chain: INPUT, Count: 1, Sid: 366
Signature match: "ICMP PING BSDtype"
ICMP, Chain: INPUT, Count: 1, Sid: 368
this time amazingly, not just packet count working as per the psad.conf
danger level but it also increase the danger level as the packet count
crossing the packet-counter define in psad.conf.
as we can see this in email.
here is my first email when it crosses danger level 2. this is some of the
first email:
>Danger level: [2] (out of 5)
> icmp packets: [6]
> Global stats:
> chain: interface: protocol: packets:
> INPUT eth0 icmp 12
Second email:
>Danger level: [3] (out of 5)
> icmp packets: [6]
> Global stats:
> chain: interface: protocol: packets:
> INPUT eth0 icmp 18
just after my second email Psad block the host as per my expectations.
Now my question is why packet-count handling two different-signatures
unevenly?
Thanks, i hope you guys did not my my poor english and i am not a native
speaker and i hope that you could also understand what i tried to explain.
i really appreciate your time and efforts.
Thanks,
MYK
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
