Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added EMAIL_THROTTLE for email throttling

Added the ability to throttle emails generated by psad via a new
EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
many emails for each scanning IP as it would have normally.  This feature
was suggested by Naji Mouawad.
  • Loading branch information...
commit 996ef41711b48643029c31c7d5c7e7cd9a9d035b 1 parent b39dc01
Michael Rash authored
4 CREDITS
@@ -490,3 +490,7 @@ Oscar Marley
490 490 - Suggested configurable auto-blocking timeout values depending on the
491 491 danger level that a scan or attack achieves. This resulted in the
492 492 implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.
  493 +
  494 +Naji Mouawad
  495 + - Suggested the ability to throttle email alerts that psad sends. The
  496 + This resulted in the implementation of the EMAIL_THROTTLE variable.
10 ChangeLog
... ... @@ -1,4 +1,4 @@
1   -psad-2.2.1 (12//2012):
  1 +psad-2.2.1 (01//2013):
2 2 - Added IP protocol scan detection (nmap -sO). A new psad.conf variable
3 3 PROTOCOL_SCAN_THRESHOLD defines the minimum number of different IP
4 4 protocols (default = 5) that must be scanned before an alert is
@@ -42,6 +42,14 @@ psad-2.2.1 (12//2012):
42 42 to look for the fwsnort rule set. This fixes a problem reported by Pui
43 43 Edylie to the psad mailing list where fwsnort logged an attack that psad
44 44 could not map back to a descriptive 'msg' field.
  45 + - Added the ability to set per-danger level timeouts when psad is
  46 + configured to run in auto-blocking mode. These timeouts are implemented
  47 + with new AUTO_BLOCK_DL*_TIMEOUT variables - one for each of the five
  48 + possible danger levels that may be assigned to a scanning IP address.
  49 + - Added the ability to throttle emails generated by psad via a new
  50 + EMAIL_THROTTLE variable which is implemented as a per-IP threshold. That
  51 + is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
  52 + many emails for each scanning IP as it would have normally.
45 53
46 54 psad-2.2 (02/20/2012):
47 55 - Added support for detection of malicious traffic that is delivered via
10 psad
@@ -5197,6 +5197,10 @@ sub scan_logr() {
5197 5197 unless ($no_email_alerts) {
5198 5198 $scan_email_ctrs{$src}{'email_ctr'}++;
5199 5199 }
  5200 + if ($config{'EMAIL_THROTTLE'} > 1) {
  5201 + next SRC if (($scan_email_ctrs{$src}{'email_ctr'}
  5202 + % $config{'EMAIL_THROTTLE'}) == 0);
  5203 + }
5200 5204 }
5201 5205
5202 5206 DST: for my $dst (keys %{$curr_scan_hr->{$src}}) {
@@ -5251,6 +5255,10 @@ sub scan_logr() {
5251 5255 unless ($no_email_alerts) {
5252 5256 $scan_email_ctrs{$src}{$dst}{'email_ctr'}++;
5253 5257 }
  5258 + if ($config{'EMAIL_THROTTLE'} > 1) {
  5259 + next DST if (($scan_email_ctrs{$src}{$dst}{'email_ctr'}
  5260 + % $config{'EMAIL_THROTTLE'}) == 0);
  5261 + }
5254 5262 }
5255 5263 print STDERR "[+] scan_logr(): dst IP: $dst\n" if $debug;
5256 5264
@@ -10970,7 +10978,7 @@ sub required_vars() {
10970 10978 ICMP6_TYPES_FILE PROTOCOL_SCAN_THRESHOLD PROTOCOLS_FILE
10971 10979 AUTO_BLOCK_DL1_TIMEOUT AUTO_BLOCK_DL2_TIMEOUT
10972 10980 AUTO_BLOCK_DL3_TIMEOUT AUTO_BLOCK_DL4_TIMEOUT
10973   - AUTO_BLOCK_DL5_TIMEOUT
  10981 + AUTO_BLOCK_DL5_TIMEOUT EMAIL_THROTTLE
10974 10982 ));
10975 10983 &defined_vars(\@required_vars);
10976 10984 return;
8 psad.conf
@@ -242,6 +242,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
242 242 ### EMAIL_LIMIT threshold.
243 243 EMAIL_LIMIT_STATUS_MSG Y;
244 244
  245 +### This variable is used to have psad throttle the email alerts it sends,
  246 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  247 +### is set to "10", then psad will only send 1/10th as many emails for each
  248 +### scanning IP as it would have normally. All other variables also apply,
  249 +### so this throttle value is taken into account after everything else. The
  250 +### default of zero means to not apply any throttling.
  251 +EMAIL_THROTTLE 0;
  252 +
245 253 ### If "Y", send email for all newly logged packets from the same
246 254 ### source ip instead of just when a danger level increases.
247 255 ALERT_ALL Y;
8 test/conf/auto_blocking.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/default_psad.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/disable_ipv6_detection.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/enable_ack_detection.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/ignore_tcp.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/ignore_udp.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/require_DROP_syslog_prefix_str.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;
8 test/conf/require_missing_syslog_prefix_str.conf
@@ -240,6 +240,14 @@ ENABLE_EMAIL_LIMIT_PER_DST N;
240 240 ### EMAIL_LIMIT threshold.
241 241 EMAIL_LIMIT_STATUS_MSG Y;
242 242
  243 +### This variable is used to have psad throttle the email alerts it sends,
  244 +### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
  245 +### is set to "10", then psad will only send 1/10th as many emails for each
  246 +### scanning IP as it would have normally. All other variables also apply,
  247 +### so this throttle value is taken into account after everything else. The
  248 +### default of zero means to not apply any throttling.
  249 +EMAIL_THROTTLE 0;
  250 +
243 251 ### If "Y", send email for all newly logged packets from the same
244 252 ### source ip instead of just when a danger level increases.
245 253 ALERT_ALL Y;

0 comments on commit 996ef41

Please sign in to comment.
Something went wrong with that request. Please try again.