Similarly to the /etc/psad/auto_dl file, the snort_rule_dl file instructs psad to automatically set the danger level of any IP address that triggers a Snort rule match. The syntax of this file is the following:
sid danger level
If the danger level is zero, psad ignores the signature match altogether and no alerts are sent. Some signature matches are worse than others, though— if psad detects traffic that matches Snort rule ID 1812 (EXPLOIT gobbles SSH exploit attempt7), this is potentially far more damaging than a match for Snort rule ID 469 (ICMP PING NMAP). Of course, the best strategy for limiting the effects of the Gobbles SSH exploit is not to run a vulnerable SSH daemon in the first place, but it is still important to detect attacks for this exploit. You can elevate the danger level of an IP address that matched Snort rule 1812 to 5, like so:
Was this article helpful?