Hi
I have Guardian set to only block Snort Priority Level 1 alerts but it's blocking Level 2 as well.
Alert:
[**] [1:2402000:4623] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] 11/11-12:18:49.554499 77.72.82.7:53790 -> myip:4569 TCP TTL:246 TOS:0x28 ID:53722 IpLen:20 DgmLen:40 ******S* Seq: 0xFBE35F5A Ack: 0x0 Win: 0x400 TcpLen: 20 [Xref => http://feeds.dshield.org/block.txt]
syslog:
Nov 11 12:18:49 ipfire guardian[3955]: <info> Blocking 77.72.82.7 for 86400 seconds...
/var/ipfire/guardian/guardian.conf:
# Autogenerated configuration file. # All user modifications will be overwritten.
# Log settings. LogFacility = syslog LogLevel = info
# IPFire related settings. FirewallEngine = IPtables SocketOwner = nobody:nobody IgnoreFile = /var/ipfire/guardian/guardian.ignore
# Configured block settings. BlockCount = 1 BlockTime = 86400 FirewallAction = DROP
# Enabled modules. Monitor_SSH = /var/log/messages Monitor_SNORT = /var/log/snort/alert Monitor_HTTPD = /var/log/httpd/error_log
# Module settings. SnortPriorityLevel = 1
Does anyone know of a fix?
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
