search

mrash / psad

psad: Intrusion Detection and Log Analysis with iptables
http://www.cipherdyne.org/psad/
GNU General Public License v2.0
388 stars 77 forks source link

Calculate DL based on number of unique scanned hosts #33

Closed askoriy closed 7 years ago

askoriy commented 8 years ago

Is it possible to add feature for counting unique scanned hosts and calculate DL based also on it? I routed traffic for unused at the moment IP addresses to the server with psad installed. And I see a lot of scanning my hosts for open port or attempt to exploit some vulnerability on a number of hosts. Even in syslog there is good seen enumerating. I'd like to find and block such activity, but psad simply skip it with DL=1, because every destination host receives only few packets.

mrash commented 8 years ago

Thanks for the suggestion - I will take a look at this as soon as I can. I'll send you a -pre release for testing once I have an initial implementation.

mrash commented 7 years ago

psad-2.4.5-pre1 has been released that implements proper port sweep detection according to the following ChangeLog entry:

- Added proper port sweep detection based on a single port being probed
  across a configurable number of destination hosts. The number of
  destinations is controlled by the following new configuration variables
  (and associated defaults) in the psad.conf file:

      DL1_UNIQUE_HOSTS            10;
      DL2_UNIQUE_HOSTS            20;
      DL3_UNIQUE_HOSTS            50;
      DL4_UNIQUE_HOSTS            100;
      DL5_UNIQUE_HOSTS            500;
mrash commented 7 years ago

This was implemented in dcd29a75d1bf38a0dd24640150eb953d9a68cc21

mrash commented 7 years ago

This has been added in psad-2.4.5 (just released).