mrash/psad

"reached email message limit" - But no mails received before the limit was hit

kees-closed opened this issue · 1 comments

With the config below I receive regular emails with the subject "[psad-status] reached email message limit for {{ ip }} on {{ hostname }}" without a message body. I also don't receive intermediate warnings, it seems like it immediately hits the message limit.

Did I configure PSAD wrong? Or did my config trigger a bug? Below is my Ansible template of my psad.conf. Running on Fedora 29 (psad-2.4.6-1.fc29.x86_64).

EMAIL_ADDRESSES                         {{ log_mail }};
HOSTNAME                                {{ ansible_hostname }};
HOME_NET                                any;
EXTERNAL_NET                            any;
FW_SEARCH_ALL                           Y;
FW_MSG_SEARCH                           DROP;
IFCFGTYPE                               iproute2;
DANGER_LEVEL1                           5; ### number of packets.
DANGER_LEVEL2                           15;
DANGER_LEVEL3                           150;
DANGER_LEVEL4                           1500;
DANGER_LEVEL5                           10000;
DL1_UNIQUE_HOSTS                        10;
DL2_UNIQUE_HOSTS                        20;
DL3_UNIQUE_HOSTS                        50;
DL4_UNIQUE_HOSTS                        100;
DL5_UNIQUE_HOSTS                        500;
CHECK_INTERVAL                          5;
SNORT_SID_STR                           SID;
PORT_RANGE_SCAN_THRESHOLD               1;
PORT_RANGE_SWEEP_THRESHOLD              0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD                 5;
ENABLE_PERSISTENCE                      Y;
SCAN_TIMEOUT                            3600; ### seconds
PERSISTENCE_CTR_THRESHOLD               5;
MAX_SCAN_IP_PAIRS                       0;
SHOW_ALL_SIGNATURES                     Y;
ALERTING_METHODS                        ALL;
AUTO_DETECT_JOURNALCTL                  Y;
ENABLE_SYSLOG_FILE                      Y;
IPT_WRITE_FWDATA                        Y;
IPT_SYSLOG_FILE                         /var/log/messages;
SYSLOG_DAEMON                           syslogd;
ENABLE_FW_MSG_READ_CMD                  Y;
FW_MSG_READ_CMD                         /bin/journalctl;
FW_MSG_READ_CMD_ARGS                    -f -k;
USE_FW_MSG_READ_CMD_ARGS                Y;
FW_MSG_READ_MIN_PKTS                    30;
ENABLE_SIG_MSG_SYSLOG                   Y;
SIG_MSG_SYSLOG_THRESHOLD                10;
SIG_SID_SYSLOG_THRESHOLD                10;
ENABLE_PSADWATCHD                       N;
EXPECT_TCP_OPTIONS                      Y;
MAX_HOPS                                20;
IGNORE_KERNEL_TIMESTAMP                 Y;
IGNORE_CONNTRACK_BUG_PKTS               Y;
{% if ansible_hostname == "neobits" %}
IGNORE_PORTS                            udp/1900;
{% else %}
IGNORE_PORTS                            NONE;
{% endif %}
IGNORE_PROTOCOLS                        NONE;
IGNORE_INTERFACES                       NONE;
IGNORE_LOG_PREFIXES                     NONE;
MIN_DANGER_LEVEL                        1;
EMAIL_ALERT_DANGER_LEVEL                3;
ENABLE_IPV6_DETECTION                   Y;
ENABLE_INTF_LOCAL_NETS                  Y;
ENABLE_MAC_ADDR_REPORTING               Y;
ENABLE_FW_LOGGING_CHECK                 Y;
EMAIL_LIMIT                             50;
ENABLE_EMAIL_LIMIT_PER_DST              N;
EMAIL_LIMIT_STATUS_MSG                  Y;
EMAIL_THROTTLE                          0;
EMAIL_APPEND_HEADER                     NONE;
ALERT_ALL                               Y;
IMPORT_OLD_SCANS                        N;
SYSLOG_IDENTITY                         psad;
SYSLOG_FACILITY                         LOG_LOCAL7;
SYSLOG_PRIORITY                         LOG_INFO;
TOP_PORTS_LOG_THRESHOLD                 500;
STATUS_PORTS_THRESHOLD                  20;
TOP_SIGS_LOG_THRESHOLD                  500;
STATUS_SIGS_THRESHOLD                   50;
TOP_IP_LOG_THRESHOLD                    500;
STATUS_IP_THRESHOLD                     25;
TOP_SCANS_CTR_THRESHOLD                 1;
ENABLE_OVERRIDE_FW_CMD                  Y;
FW_CMD                                  /usr/sbin/iptables;
FW_CMD_ARGS                             NONE;
ENABLE_DSHIELD_ALERTS                   Y;
DSHIELD_ALERT_EMAIL                     reports@dshield.org;
DSHIELD_ALERT_INTERVAL                  6; ### hours
DSHIELD_USER_ID                         0;
DSHIELD_USER_EMAIL                      NONE;
DSHIELD_DL_THRESHOLD                    0;
HTTP_SERVERS                            $HOME_NET;
SMTP_SERVERS                            $HOME_NET;
DNS_SERVERS                             $HOME_NET;
SQL_SERVERS                             $HOME_NET;
TELNET_SERVERS                          $HOME_NET;
AIM_SERVERS                             [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS                              80;
SHELLCODE_PORTS                         !80;
ORACLE_PORTS                            1521;
ENABLE_SNORT_SIG_STRICT                 Y;
ENABLE_AUTO_IDS                         Y;
AUTO_IDS_DANGER_LEVEL                   5;
AUTO_BLOCK_TIMEOUT                      3600;
AUTO_BLOCK_DL1_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT                  0; ### permanent
ENABLE_AUTO_IDS_REGEX                   N;
AUTO_BLOCK_REGEX                        ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS               N;
ENABLE_AUTO_IDS_EMAILS                  Y;
IPTABLES_BLOCK_METHOD                   Y;
IPT_AUTO_CHAIN1                         DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2                         DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3                         DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT                       Y;
IPTABLES_PREREQ_CHECK                   1;
TCPWRAPPERS_BLOCK_METHOD                N;
ENABLE_WHOIS_LOOKUPS                    Y;
WHOIS_TIMEOUT                           60; ### seconds
WHOIS_LOOKUP_THRESHOLD                  20;
ENABLE_WHOIS_FORCE_ASCII                N;
ENABLE_WHOIS_FORCE_SRC_IP               N;
ENABLE_DNS_LOOKUPS                      Y;
DNS_LOOKUP_THRESHOLD                    20;
ENABLE_EXT_SCRIPT_EXEC                  N;
EXTERNAL_SCRIPT                         /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT               N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC            N;
EXTERNAL_BLOCK_SCRIPT                   /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE              N;
CUSTOM_SYSLOG_TS_RE                     ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL                     300; ### seconds
DISK_MAX_PERCENTAGE                     95;
DISK_MAX_RM_RETRIES                     10;
ENABLE_SCAN_ARCHIVE                     N;
TRUNCATE_FWDATA                         Y;
MIN_ARCHIVE_DANGER_LEVEL                1;
MAIL_ALERT_PREFIX                       [psad-alert];
MAIL_STATUS_PREFIX                      [psad-status];
MAIL_ERROR_PREFIX                       [psad-error];
MAIL_FATAL_PREFIX                       [psad-fatal];
SIG_UPDATE_URL                          http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL               5; ### seconds
PSADWATCHD_MAX_RETRIES                  10;
INSTALL_ROOT                            /;
PSAD_DIR                                $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                            $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR                           $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR                           $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR                           $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                            $PSAD_DIR/errs;
{% if ansible_os_family == "RedHat" %}
CONF_ARCHIVE_DIR                        $PSAD_DIR/archive;
{% elif ansible_os_family == "Debian" %}
CONF_ARCHIVE_DIR                        $PSAD_CONF_DIR/archive;
{% endif %}
SCAN_DATA_ARCHIVE_DIR                   $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR                       $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR                         $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR                       /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE                            $PSAD_DIR/fwdata;
ULOG_DATA_FILE                          $PSAD_DIR/ulogd.log;
FW_CHECK_FILE                           $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE                      $PSAD_DIR/dshield.email;
SIGS_FILE                               $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE                          $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE                         $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE                        $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                            $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE                      $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                               $PSAD_CONF_DIR/posf;
P0F_FILE                                $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                            $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE                          $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE                     /etc/hosts.deny;
ETC_SYSLOG_CONF                         /etc/syslog.conf;
ETC_RSYSLOG_CONF                        /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF                       /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF                        /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE                      $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE                    $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE                        $PSAD_DIR/install.log;
PSAD_PID_FILE                           $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE                   $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE                       $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE                         $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE                     $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE                     $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE                   $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK                           $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                            $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH                         $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE                       /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE                     $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE                  $PSAD_DIR/top_ports;
TOP_SIGS_FILE                           $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE                      $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE                    $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE                 $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN                      psad_iptout.XXXXXX;
IPT_ERROR_PATTERN                       psad_ipterr.XXXXXX;
iptablesCmd                             /sbin/iptables;
ip6tablesCmd                            /sbin/ip6tables;
shCmd                                   /bin/sh;
wgetCmd                                 /usr/bin/wget;
gzipCmd                                 /bin/gzip;
mknodCmd                                /bin/mknod;
psCmd                                   /bin/ps;
mailCmd                                 /bin/mail;
sendmailCmd                             /usr/sbin/sendmail;
ifconfigCmd                             /sbin/ifconfig;
ipCmd                                   /sbin/ip;
killallCmd                              /usr/bin/killall;
netstatCmd                              /bin/netstat;
unameCmd                                /bin/uname;
whoisCmd                                /usr/bin/whois;
dfCmd                                   /bin/df;
fwcheck_psadCmd                         $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd                           $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd                               $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd                                 $INSTALL_ROOT/usr/sbin/psad;

I think the problem is this, it's just an educated guess, I didn't have time to check the source code:

MIN_DANGER_LEVEL                        1;
EMAIL_ALERT_DANGER_LEVEL                3;
EMAIL_LIMIT                             50;

MIN_DANGER_LEVEL must be less or equal to EMAIL_ALERT_DANGER_LEVEL, but when the value is less, then it still triggers mail events, which aren't actually sent since the EMAIL_ALERT_DANGER_LEVEL threshold isn't triggered when the danger level is less than 3 (in this case). But the danger events less than 3 do increment the EMAIL_LIMIT value, which is set to 50. So even when no mails are actually sent, it does increment that limit, once hit, I receive the "reached email message limit" out of nowhere since I never got other emails since the EMAIL_ALERT_DANGER_LEVEL wasn't triggered. If this is the case, then I see this as a bug.