On Thu, 2011-12-01 at 12:14 +1100, Kilburn Abrahams
wrote:> Using 4.4.23.2 on a single host. A host x.x.x.x is sending traffic
> although it blacklisted and blocked rules
>
> rules:
>
> DROP net:x.x.x.x/21 $FW - - -
> DROP net:x.x.x.x/22 $FW - - -
> DROP $FW net:x.x.x.x/21 - - -
> DROP $FW net:x.x.x.x/22 - - -
>
> blackist
>
> #ADDRESS/SUBNET PROTOCOL PORT OPTIONS
> x.x.x.x/21 - - src,dst
> x.x.x.x/22 - - src,dst
>
> I see no record of the host in the logs. App darkstat indicates that
> host is sending traffic on random udp ports and it shows when last the
> host connected and the amount of traffic. This is a little puzzling.
> Is the something I am overlooking.
Yes -- You are overlooking the fact that Darkstat uses libpcap to
capture traffic; therefore, it captures the UDP packets *before* they
are dropped by the Shorewall-generated ruleset. I assume that you have
not set a value for BLACKLIST_LOGLEVEL, in which case your blacklisting
rules don''t generate log messages.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d