Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"reached email message limit" - But no mails received before the limit was hit #61

Open
kees-closed opened this issue Jan 9, 2019 · 1 comment
Open

"reached email message limit" - But no mails received before the limit was hit #61

kees-closed opened this issue Jan 9, 2019 · 1 comment

Comments

@kees-closed
Copy link

With the config below I receive regular emails with the subject "[psad-status] reached email message limit for {{ ip }} on {{ hostname }}" without a message body. I also don't receive intermediate warnings, it seems like it immediately hits the message limit.

Did I configure PSAD wrong? Or did my config trigger a bug? Below is my Ansible template of my psad.conf. Running on Fedora 29 (psad-2.4.6-1.fc29.x86_64).

EMAIL_ADDRESSES                         {{ log_mail }};
HOSTNAME                                {{ ansible_hostname }};
HOME_NET                                any;
EXTERNAL_NET                            any;
FW_SEARCH_ALL                           Y;
FW_MSG_SEARCH                           DROP;
IFCFGTYPE                               iproute2;
DANGER_LEVEL1                           5; ### number of packets.
DANGER_LEVEL2                           15;
DANGER_LEVEL3                           150;
DANGER_LEVEL4                           1500;
DANGER_LEVEL5                           10000;
DL1_UNIQUE_HOSTS                        10;
DL2_UNIQUE_HOSTS                        20;
DL3_UNIQUE_HOSTS                        50;
DL4_UNIQUE_HOSTS                        100;
DL5_UNIQUE_HOSTS                        500;
CHECK_INTERVAL                          5;
SNORT_SID_STR                           SID;
PORT_RANGE_SCAN_THRESHOLD               1;
PORT_RANGE_SWEEP_THRESHOLD              0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD                 5;
ENABLE_PERSISTENCE                      Y;
SCAN_TIMEOUT                            3600; ### seconds
PERSISTENCE_CTR_THRESHOLD               5;
MAX_SCAN_IP_PAIRS                       0;
SHOW_ALL_SIGNATURES                     Y;
ALERTING_METHODS                        ALL;
AUTO_DETECT_JOURNALCTL                  Y;
ENABLE_SYSLOG_FILE                      Y;
IPT_WRITE_FWDATA                        Y;
IPT_SYSLOG_FILE                         /var/log/messages;
SYSLOG_DAEMON                           syslogd;
ENABLE_FW_MSG_READ_CMD                  Y;
FW_MSG_READ_CMD                         /bin/journalctl;
FW_MSG_READ_CMD_ARGS                    -f -k;
USE_FW_MSG_READ_CMD_ARGS                Y;
FW_MSG_READ_MIN_PKTS                    30;
ENABLE_SIG_MSG_SYSLOG                   Y;
SIG_MSG_SYSLOG_THRESHOLD                10;
SIG_SID_SYSLOG_THRESHOLD                10;
ENABLE_PSADWATCHD                       N;
EXPECT_TCP_OPTIONS                      Y;
MAX_HOPS                                20;
IGNORE_KERNEL_TIMESTAMP                 Y;
IGNORE_CONNTRACK_BUG_PKTS               Y;
{% if ansible_hostname == "neobits" %}
IGNORE_PORTS                            udp/1900;
{% else %}
IGNORE_PORTS                            NONE;
{% endif %}
IGNORE_PROTOCOLS                        NONE;
IGNORE_INTERFACES                       NONE;
IGNORE_LOG_PREFIXES                     NONE;
MIN_DANGER_LEVEL                        1;
EMAIL_ALERT_DANGER_LEVEL                3;
ENABLE_IPV6_DETECTION                   Y;
ENABLE_INTF_LOCAL_NETS                  Y;
ENABLE_MAC_ADDR_REPORTING               Y;
ENABLE_FW_LOGGING_CHECK                 Y;
EMAIL_LIMIT                             50;
ENABLE_EMAIL_LIMIT_PER_DST              N;
EMAIL_LIMIT_STATUS_MSG                  Y;
EMAIL_THROTTLE                          0;
EMAIL_APPEND_HEADER                     NONE;
ALERT_ALL                               Y;
IMPORT_OLD_SCANS                        N;
SYSLOG_IDENTITY                         psad;
SYSLOG_FACILITY                         LOG_LOCAL7;
SYSLOG_PRIORITY                         LOG_INFO;
TOP_PORTS_LOG_THRESHOLD                 500;
STATUS_PORTS_THRESHOLD                  20;
TOP_SIGS_LOG_THRESHOLD                  500;
STATUS_SIGS_THRESHOLD                   50;
TOP_IP_LOG_THRESHOLD                    500;
STATUS_IP_THRESHOLD                     25;
TOP_SCANS_CTR_THRESHOLD                 1;
ENABLE_OVERRIDE_FW_CMD                  Y;
FW_CMD                                  /usr/sbin/iptables;
FW_CMD_ARGS                             NONE;
ENABLE_DSHIELD_ALERTS                   Y;
DSHIELD_ALERT_EMAIL                     [email protected];
DSHIELD_ALERT_INTERVAL                  6; ### hours
DSHIELD_USER_ID                         0;
DSHIELD_USER_EMAIL                      NONE;
DSHIELD_DL_THRESHOLD                    0;
HTTP_SERVERS                            $HOME_NET;
SMTP_SERVERS                            $HOME_NET;
DNS_SERVERS                             $HOME_NET;
SQL_SERVERS                             $HOME_NET;
TELNET_SERVERS                          $HOME_NET;
AIM_SERVERS                             [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS                              80;
SHELLCODE_PORTS                         !80;
ORACLE_PORTS                            1521;
ENABLE_SNORT_SIG_STRICT                 Y;
ENABLE_AUTO_IDS                         Y;
AUTO_IDS_DANGER_LEVEL                   5;
AUTO_BLOCK_TIMEOUT                      3600;
AUTO_BLOCK_DL1_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT                  0; ### permanent
ENABLE_AUTO_IDS_REGEX                   N;
AUTO_BLOCK_REGEX                        ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS               N;
ENABLE_AUTO_IDS_EMAILS                  Y;
IPTABLES_BLOCK_METHOD                   Y;
IPT_AUTO_CHAIN1                         DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2                         DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3                         DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT                       Y;
IPTABLES_PREREQ_CHECK                   1;
TCPWRAPPERS_BLOCK_METHOD                N;
ENABLE_WHOIS_LOOKUPS                    Y;
WHOIS_TIMEOUT                           60; ### seconds
WHOIS_LOOKUP_THRESHOLD                  20;
ENABLE_WHOIS_FORCE_ASCII                N;
ENABLE_WHOIS_FORCE_SRC_IP               N;
ENABLE_DNS_LOOKUPS                      Y;
DNS_LOOKUP_THRESHOLD                    20;
ENABLE_EXT_SCRIPT_EXEC                  N;
EXTERNAL_SCRIPT                         /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT               N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC            N;
EXTERNAL_BLOCK_SCRIPT                   /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE              N;
CUSTOM_SYSLOG_TS_RE                     ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL                     300; ### seconds
DISK_MAX_PERCENTAGE                     95;
DISK_MAX_RM_RETRIES                     10;
ENABLE_SCAN_ARCHIVE                     N;
TRUNCATE_FWDATA                         Y;
MIN_ARCHIVE_DANGER_LEVEL                1;
MAIL_ALERT_PREFIX                       [psad-alert];
MAIL_STATUS_PREFIX                      [psad-status];
MAIL_ERROR_PREFIX                       [psad-error];
MAIL_FATAL_PREFIX                       [psad-fatal];
SIG_UPDATE_URL                          http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL               5; ### seconds
PSADWATCHD_MAX_RETRIES                  10;
INSTALL_ROOT                            /;
PSAD_DIR                                $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                            $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR                           $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR                           $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR                           $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                            $PSAD_DIR/errs;
{% if ansible_os_family == "RedHat" %}
CONF_ARCHIVE_DIR                        $PSAD_DIR/archive;
{% elif ansible_os_family == "Debian" %}
CONF_ARCHIVE_DIR                        $PSAD_CONF_DIR/archive;
{% endif %}
SCAN_DATA_ARCHIVE_DIR                   $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR                       $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR                         $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR                       /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE                            $PSAD_DIR/fwdata;
ULOG_DATA_FILE                          $PSAD_DIR/ulogd.log;
FW_CHECK_FILE                           $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE                      $PSAD_DIR/dshield.email;
SIGS_FILE                               $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE                          $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE                         $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE                        $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                            $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE                      $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                               $PSAD_CONF_DIR/posf;
P0F_FILE                                $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                            $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE                          $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE                     /etc/hosts.deny;
ETC_SYSLOG_CONF                         /etc/syslog.conf;
ETC_RSYSLOG_CONF                        /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF                       /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF                        /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE                      $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE                    $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE                        $PSAD_DIR/install.log;
PSAD_PID_FILE                           $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE                   $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE                       $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE                         $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE                     $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE                     $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE                   $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK                           $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                            $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH                         $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE                       /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE                     $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE                  $PSAD_DIR/top_ports;
TOP_SIGS_FILE                           $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE                      $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE                    $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE                 $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN                      psad_iptout.XXXXXX;
IPT_ERROR_PATTERN                       psad_ipterr.XXXXXX;
iptablesCmd                             /sbin/iptables;
ip6tablesCmd                            /sbin/ip6tables;
shCmd                                   /bin/sh;
wgetCmd                                 /usr/bin/wget;
gzipCmd                                 /bin/gzip;
mknodCmd                                /bin/mknod;
psCmd                                   /bin/ps;
mailCmd                                 /bin/mail;
sendmailCmd                             /usr/sbin/sendmail;
ifconfigCmd                             /sbin/ifconfig;
ipCmd                                   /sbin/ip;
killallCmd                              /usr/bin/killall;
netstatCmd                              /bin/netstat;
unameCmd                                /bin/uname;
whoisCmd                                /usr/bin/whois;
dfCmd                                   /bin/df;
fwcheck_psadCmd                         $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd                           $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd                               $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd                                 $INSTALL_ROOT/usr/sbin/psad;
@kees-closed
Copy link
Author

kees-closed commented Feb 11, 2019
edited
Loading

I think the problem is this, it's just an educated guess, I didn't have time to check the source code:

MIN_DANGER_LEVEL                        1;
EMAIL_ALERT_DANGER_LEVEL                3;
EMAIL_LIMIT                             50;

MIN_DANGER_LEVEL must be less or equal to EMAIL_ALERT_DANGER_LEVEL, but when the value is less, then it still triggers mail events, which aren't actually sent since the EMAIL_ALERT_DANGER_LEVEL threshold isn't triggered when the danger level is less than 3 (in this case). But the danger events less than 3 do increment the EMAIL_LIMIT value, which is set to 50. So even when no mails are actually sent, it does increment that limit, once hit, I receive the "reached email message limit" out of nowhere since I never got other emails since the EMAIL_ALERT_DANGER_LEVEL wasn't triggered. If this is the case, then I see this as a bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kees-closed