Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
What led up to the situation? Not sure, I installed psad and Snort rules etc.
What exactly did you do (or not do) that was effective (or
ineffective)? No Idea
What was the outcome of this action? getting flooded with this notification:
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [3] (out of 5) Multi-Protocol
Scanned destinations: 1
Source: fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DNS: [No reverse dns info available]
Destination: ff02:0000:0000:0000:0000:0000:0000:0001
DNS: [No reverse dns info available]
Overall scan start: Thu May 19 11:37:16 2022
Total email alerts: 26491
Syslog hostname: DebianTim
Global stats:
chain: interface: protocol: packets:
INPUT enp1s0 icmp6 613
[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.
=-=-=-=-=-=-=-=-=-=-=-= Thu May 19 12:07:51 2022 =-=-=-=-=-=-=-=-=-=-=-=
I have NFTables set to this:
# ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-unreachable,
packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-
router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148,
149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152,
153 } accept
# count and drop any other traffic
counter drop
What outcome did you expect instead?
Not to have 36,878 messages that I have been scanned for IP6 neighbor
protocols.
How do I configure PSAD to ignore these and quit getting false positives?
*** End of the template - remove these template lines ***