1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#265610: psad: ip and/or network in auto_dl being ignored

    From Richard A Nelson@1:229/2 to All on Sat Aug 14 01:30:11 2004
    From: [email protected]

    Package: psad
    Version: 1.3.2-3
    Severity: important

    Every once in a while, my laptop starts blocking my lan router - which
    makes it rather difficult to get any work done :)

    Sample erroneous report: ------------------------------------------------------------------------------
    ** psad: Suspicious traffic detected against 192.168.1.255


    Danger level: [1] (out of 5)

    Scanned udp ports: [123: 1 packets, Nmap: -sU]
    Iptables chain: INPUT (prefix "Drop"), 1 packets

    Source: 192.168.1.2
    DNS: ultima-thule.cavein.org

    Destination: 192.168.1.255
    DNS: [No reverse dns info available]

    Syslog hostname: bandit-hall

    Current interval: Fri Aug 13 14:09:11 2004 (start)
    Fri Aug 13 14:09:16 2004 (end)

    Overall scan start: Fri Aug 13 14:05:58 2004
    Total email alerts: 2
    Complete udp range: [123-513]

    chain: interface: tcp: udp: icmp:
    INPUT eth0 0 6 0 ------------------------------------------------------------------------------

    Portion of /etc/psad/psad.conf:
    HOME_NET 192.168.0.0/24, 192.168.1.0/24, 10.0.1.0/24;

    The laptop is sometimes on 192.168.0.<x>, sometimes on 192.168.1.<x>,
    and sometimes (at work, hotel, etc) on neither... 10.0.1.x is a VPN to
    the home router.

    Portion of /etc/psad/auto_dl:
    127.0.0.0/8 0;
    10.0.0.0/8 0;
    192.168.0.0/24 0;
    192.168.1.0/24 0;

    # ip addr show eth0
    3: eth0: <BROADCAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc htb qlen 1000
    link/ether 00:09:6b:30:46:0e brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
    inet 9.65.233.73/32 scope global eth0
    inet6 fe80::209:6bff:fe30:460e/64 scope link
    valid_lft forever preferred_lft forever
    # ip route [minimized]
    127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
    10.0.1.0/24 dev tap0 proto kernel scope link src 10.0.1.10
    192.168.0.0/24 via 10.0.1.2 dev tap0 metric 2
    192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10

    syslog from latest start of psad:
    Aug 13 14:13:13 bandit-hall psad: .. starting psad
    Aug 13 14:13:13 bandit-hall psad: .. imported psad-1.3 signatures
    Aug 13 14:13:13 bandit-hall psad: .. imported valid icmp types and codes
    Aug 13 14:13:13 bandit-hall psad: .. imported passive OS fingerprinting signatures
    Aug 13 14:13:13 bandit-hall psad: .. imported psad_auto_dl, got 10 IPs
    and 6 networks
    Aug 13 14:13:13 bandit-hall psad: .. imported snort-2.1 signatures
    Aug 13 14:13:13 bandit-hall psad: .. config warning; HOME_NET definition
    in psad.conf contains 192.168.0.0/24 which does not appear to be
    directly connected to the local system.

    -- System Information:
    Debian Release: 3.1
    APT prefers unstable
    APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686)
    Kernel: Linux 2.6.8-rc3-mm1
    Locale: LANG=en_US, LC_CTYPE=en_US

    Versions of packages psad depends on:
    ii ipchains 1.3.10-15 Network firewalling for Linux 2.2. ii iptables 1.2.11-2 Linux kernel 2.4+ iptables adminis ii libbit-vector-perl 6.3-3 Perl and C library for bit vectors ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an ii libdate-calc-perl 5.3-5 Perl library for accessing dates ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API ii libunix-syslog-perl 0.100-2 Perl interface to the UNIX syslog( ii perl 5.8.4-2 Larry Wall's Practical Extraction ii sysklogd [syslogd] 1.4.1-15 System Logging Daemon
    ii whois 4.6.20u The GNU whois client

    -- debconf-show failed


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Daniel Gubser@1:229/2 to All on Mon Aug 16 15:10:13 2004
    From: [email protected]

    Hello Richard

    Am Sam, den 14.08.2004 schrieb Richard A Nelson um 00:23:
    Package: psad
    Version: 1.3.2-3
    Severity: important

    Every once in a while, my laptop starts blocking my lan router - which
    makes it rather difficult to get any work done :)

    Could you also give me your firewall-rules? Something must be in to DROP
    this packet.

    Daniel



    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Richard A Nelson@1:229/2 to Daniel Gubser on Mon Aug 16 20:00:15 2004
    From: [email protected]

    On Mon, 16 Aug 2004, Daniel Gubser wrote:

    Hello Richard

    greetings

    Every once in a while, my laptop starts blocking my lan router - which makes it rather difficult to get any work done :)

    Could you also give me your firewall-rules? Something must be in to DROP
    this packet.

    this is weird !

    Yes, indeed, since the laptop runs on both my lan, and at work - it
    drops alot of crap.

    In particular, it drops the ntp broadcasts that my gateway does - as
    well as the home samba network. You can see that in the report that
    was in my report... iirc ports 123-138.

    The odd thing is that I booted the laptop at home yesterday on 2.6.8.1
    and its been running 17+ hours *without* blackholing the gateway - it
    seems to be very intermittant.

    One thing that might make a difference - and cause the problem is that
    I often run a VPN into work from the laptop... This will give eth0
    *two* ipv4 addresses - which may (or may not) confuse psad when it
    is doing its checks into auto_dl.

    --
    Rick Nelson
    We are Pentium of Borg. Division is futile. You will be approximated.
    (seen in someone's .signature)



    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Richard A Nelson@1:229/2 to Daniel Gubser on Thu Aug 19 00:00:12 2004
    From: [email protected]

    On Mon, 16 Aug 2004, Daniel Gubser wrote:

    Every once in a while, my laptop starts blocking my lan router - which makes it rather difficult to get any work done :)

    Could you also give me your firewall-rules? Something must be in to DROP
    this packet.

    Aha !!!

    This happens when an changes *after* psad is started - like a DHCP
    lease, or recently when my WAN interface didn't come up before psad.

    So, there's at least two ways to handle this:
    1) Leave it upto the user to handle - but at least mention it
    2) Provide
    A) either an /etc/default/psad, or /etc/psad/ifs (for example)
    that will list the Interfaces belonging to the HOME_NET
    networks... with no value meaning 'No interfaces'
    B) an /etc/network/if-up/psad that sources the file in A) above
    and if the interfaces is in the list, do
    /etc/init.d/psad reload.

    Sorry for the troubles on this one... I should've caught this before,
    been too much on my mind to think clearly :(
    --
    Rick Nelson
    DOS: n., A small annoying boot virus that causes random spontaneous system
    crashes, usually just before saving a massive project. Easily cured by
    UNIX. See also MS-DOS, IBM-DOS, DR-DOS.
    (from David Vicker's .plan)



    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)