#1011293 psad: gettimg logs flooded with scan reports for IP6 neigbor discovery

Package:
psad
Source:
psad
Description:
Port Scan Attack Detector
Submitter:
Tim McConnell
Date:
2022-05-19 17:39:04 UTC
Severity:
important
Tags:
#1011293#5
Date:
2022-05-19 17:35:53 UTC
From:
To:
Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

What led up to the situation? Not sure, I installed psad and Snort rules etc.

What exactly did you do (or not do) that was effective (or
     ineffective)? No Idea

What was the outcome of this action? getting flooded with this notification:
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [3] (out of 5) Multi-Protocol

 Scanned destinations: 1

               Source: fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
                  DNS: [No reverse dns info available]

          Destination: ff02:0000:0000:0000:0000:0000:0000:0001
                  DNS: [No reverse dns info available]

   Overall scan start: Thu May 19 11:37:16 2022
   Total email alerts: 26491
      Syslog hostname: DebianTim

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    enp1s0      icmp6      613

[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.

=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
I have NFTables set to this:
# ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
                meta nfproto ipv6 icmpv6 type { destination-unreachable,
packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-
router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148,
149 } accept
                ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152,
153 } accept

                # count and drop any other traffic
                counter drop
What outcome did you expect instead?
Not to have 36,878 messages that I have been scanned for IP6 neighbor
protocols.
How do I configure PSAD to ignore these and quit getting false positives?
*** End of the template - remove these template lines ***