Hi

I have Guardian set to only block Snort Priority Level 1 alerts but it's blocking Level 2 as well.

Alert:

[**] [1:2402000:4623] ET DROP Dshield Block Listed Source group 1 [**]
[Classification: Misc Attack] [Priority: 2] 
11/11-12:18:49.554499 77.72.82.7:53790 -> myip:4569
TCP TTL:246 TOS:0x28 ID:53722 IpLen:20 DgmLen:40
******S* Seq: 0xFBE35F5A  Ack: 0x0  Win: 0x400  TcpLen: 20
[Xref => http://feeds.dshield.org/block.txt]

syslog:

Nov 11 12:18:49 ipfire guardian[3955]: <info> Blocking 77.72.82.7 for 86400 seconds... 

/var/ipfire/guardian/guardian.conf:

# Autogenerated configuration file.
# All user modifications will be overwritten.

# Log settings.
LogFacility = syslog
LogLevel = info

# IPFire related settings.
FirewallEngine = IPtables
SocketOwner = nobody:nobody
IgnoreFile = /var/ipfire/guardian/guardian.ignore

# Configured block settings.
BlockCount = 1
BlockTime = 86400
FirewallAction = DROP

# Enabled modules.
Monitor_SSH = /var/log/messages
Monitor_SNORT = /var/log/snort/alert
Monitor_HTTPD = /var/log/httpd/error_log

# Module settings.
SnortPriorityLevel = 1

Does anyone know of a fix?

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690