Restricting psad Responses to Attacks Detected by fwsnort

Based on information included in "Tying fwsnort Detection to psad Operations" on page 194, we already know that psad can send alerts for log messages generated by fwsnort. It follows that psad can set up iptables blocking rules in response to fwsnort log messages simply by setting ENABLE_AUTO_IDS to Y in the /etc/psad/psad.conf file.

If an attack detected by fwsnort raises the danger level assigned to the attacker by psad higher than the value set by the AUTO_IDS_DANGER_LEVEL variable, then psad will instantiate carte blanche DROP rules against the attacker's IP address. However, psad danger levels are not only assigned because fwsnort logs an attack; dedicated port scans and probes for backdoors are also assigned a danger level.

As discussed in Chapter 8, enabling psad responses for scans and probes (which are easily spoofed) is risky business. Ideally, we would like psad to respond exclusively to those attacks that must involve application layer data over an established TCP connection, and not take any action against other types of attacks.

The AUTO_BLOCK_REGEX variable contains a regular expression that forces psad to perform blocking operations against IP addresses only when the corresponding iptables log messages match the expression. By default, the value assigned to the AUTO_BLOCK_REGEX variable is the string ESTAB, which matches fwsnort log messages triggered within one of the custom chains designed to match only packets that are part of established TCP connections. To enable this functionality, the ENABLE_AUTO_BLOCK_REGEX variable must also be set to Y in the psad configuration file.

NOTE If you intend to allow psad to firewall-off attackers, you should run fwsnort and enable the AUTO_BLOCK_REGEX feature. Responding to port scans or other trivially spoofable traffic is too easily abused.

Was this article helpful?

0 0

Post a comment