PSD rules never fire

dcowsill · Wed Nov 08, 2017 5:16 am

Hello! First post, be gentle.

I'm interested in PSD and how to implement it on RouterOS. I did a bit of reading on the wiki and these forums on how to do this correctly and what the values mean in the rule definition. Seems straightforward, however I can't get a PSD rule to fire (or log, or add src addresses to list) even with very low threshold values and very high weight values.

For example:

chain=input action=log protocol=tcp psd=10,3m,5,5 log=yes log-prefix="psd"

My threshold weight here is 10 over 3 minutes, assigning equal weight to high and low port numbers. This should mean that any would-be port scanner who attempts to connect to two different ports inside of 3 minutes should trigger a log action. By monitoring my catchall input drop rule I can see that there are definitely hosts actively scanning me that should match the rule but that never happens.

Can anyone point out where I'm going wrong here?

RouterOS version is 6.40.4. See below for all my filter rules for context.

/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=passthrough chain=input comment="log access to winbox service" \
    dst-port=8291 log=yes log-prefix=winbox-input protocol=tcp \
    src-address-list=trusted-lans
add action=accept chain=input comment="accept normal dhcp traffic from lans" \
    dst-port=67,68 protocol=udp src-address-list=lans
add action=accept chain=input comment="allow all input from trusted lans" \
    src-address-list=trusted-lans
add action=log chain=input comment="psd - add to port-scanners list (tcp)" \
    log=yes log-prefix=psd protocol=tcp psd=10,3m,5,5
add action=add-src-to-address-list address-list=port-scanners \
    address-list-timeout=14h chain=input comment=\
    "psd - add to port-scanners list (udp)" in-interface=ether1-wan log=yes \
    log-prefix=psd protocol=udp psd=20,3m,5,5
add action=drop chain=input comment="drop all else" log=yes log-prefix=\
    catchall-input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="allow lan traffic out wan" \
    out-interface=ether1-wan src-address-list=lans
add action=accept chain=forward comment=\
    "allow forwards from WAN that are DSTNATed" connection-nat-state=dstnat \
    connection-state=new in-interface=ether1-wan
add action=log chain=forward comment="log bogon forwards" in-interface=\
    ether1-wan log=yes log-prefix=bogon-forward src-address-list=bogons
add action=log chain=forward comment="log invalid packets" connection-state=\
    invalid log=yes log-prefix=invalid-forward
add action=drop chain=forward comment=\
    "drop everything not explicitly allowed" log=yes log-prefix=\
    catchall-forward