- Suggested configurable auto-blocking timeout values depending on the
danger level that a scan or attack achieves. This resulted in the
implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.
+
+Naji Mouawad
+ - Suggested the ability to throttle email alerts that psad sends. The
+ This resulted in the implementation of the EMAIL_THROTTLE variable.
-psad-2.2.1 (12//2012):
+psad-2.2.1 (01//2013):
- Added IP protocol scan detection (nmap -sO). A new psad.conf variable
PROTOCOL_SCAN_THRESHOLD defines the minimum number of different IP
protocols (default = 5) that must be scanned before an alert is
to look for the fwsnort rule set. This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.
+ - Added the ability to set per-danger level timeouts when psad is
+ configured to run in auto-blocking mode. These timeouts are implemented
+ with new AUTO_BLOCK_DL*_TIMEOUT variables - one for each of the five
+ possible danger levels that may be assigned to a scanning IP address.
+ - Added the ability to throttle emails generated by psad via a new
+ EMAIL_THROTTLE variable which is implemented as a per-IP threshold. That
+ is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
+ many emails for each scanning IP as it would have normally.
psad-2.2 (02/20/2012):
- Added support for detection of malicious traffic that is delivered via
unless ($no_email_alerts) {
$scan_email_ctrs{$src}{'email_ctr'}++;
}
+ if ($config{'EMAIL_THROTTLE'} > 1) {
+ next SRC if (($scan_email_ctrs{$src}{'email_ctr'}
+ % $config{'EMAIL_THROTTLE'}) == 0);
+ }
}
DST: for my $dst (keys %{$curr_scan_hr->{$src}}) {
unless ($no_email_alerts) {
$scan_email_ctrs{$src}{$dst}{'email_ctr'}++;
}
+ if ($config{'EMAIL_THROTTLE'} > 1) {
+ next DST if (($scan_email_ctrs{$src}{$dst}{'email_ctr'}
+ % $config{'EMAIL_THROTTLE'}) == 0);
+ }
}
print STDERR "[+] scan_logr(): dst IP: $dst\n" if $debug;
ICMP6_TYPES_FILE PROTOCOL_SCAN_THRESHOLD PROTOCOLS_FILE
AUTO_BLOCK_DL1_TIMEOUT AUTO_BLOCK_DL2_TIMEOUT
AUTO_BLOCK_DL3_TIMEOUT AUTO_BLOCK_DL4_TIMEOUT
- AUTO_BLOCK_DL5_TIMEOUT
+ AUTO_BLOCK_DL5_TIMEOUT EMAIL_THROTTLE
));
&defined_vars(\@required_vars);
return;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
+### This variable is used to have psad throttle the email alerts it sends,
+### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
+### is set to "10", then psad will only send 1/10th as many emails for each
+### scanning IP as it would have normally. All other variables also apply,
+### so this throttle value is taken into account after everything else. The
+### default of zero means to not apply any throttling.
+EMAIL_THROTTLE 0;
+
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
projects / psad.git / commitdiff