Man Linux: Main Page and Category List

NAME

       psad - The Port Scan Attack Detector

SYNOPSIS

       psad [options]

DESCRIPTION

       psad  makes  use  of  iptables  log  messages  to  detect,  alert,  and
       (optionally) block port scans and other suspect traffic.  For TCP scans
       psad  analyzes  TCP  flags  to determine the scan type (syn, fin, xmas,
       etc.) and corresponding command line options that could be supplied  to
       nmap to generate such a scan.  In addition, psad makes use of many TCP,
       UDP, and ICMP signatures contained within the Snort intrusion detection
       system (see http://www.snort.org/) to detect suspicious network traffic
       such as probes for common  backdoors,  DDoS  tools,  OS  fingerprinting
       attempts,  and  more.   By  default psad also provides alerts for snort
       rules that are detected directly by  iptables  through  the  use  of  a
       ruleset   generated  by  fwsnort  (http://www.cipherdyne.org/fwsnort/).
       This enables psad to send alerts for application layer  attacks.   psad
       features  a set of highly configurable danger thresholds (with sensible
       defaults  provided)  that  allow  the  administrator  to  define   what
       constitutes a port scan or other suspect traffic.  Email alerts sent by
       psad contain the scanning ip, number of packets sent to each port,  any
       TCP,  UDP,  or  ICMP signatures that have been matched (e.g. "NMAP XMAS
       scan"), the scanned port range, the current danger level (from 1 to 5),
       reverse  dns  info,  and  whois  information.   psad  also makes use of
       various packet  header  fields  associated  with  TCP  SYN  packets  to
       passively  fingerprint remote operating systems (in a manner similar to
       the p0f fingerprinter) from which scans originate.  This  requires  the
       use  of  the  --log-tcp-options argument for iptables logging rules; if
       this option is not used, psad will fall back to a fingerprinting method
       that  makes  use  of  packet length, TTL and TOS values, IP ID, and TCP
       window sizes.

       psad configures syslog to write all kern.info messages to a named  pipe
       /var/lib/psad/psadfifo and then reads all messages out of the pipe that
       are matched by a string designed to catch any packets  that  have  been
       logged  (and  possibly  dropped)  by the firewall.  In this way psad is
       supplied with a pure data stream that exclusively contains packets that
       the  firewall  has deemed unfit to enter the network.  psad consists of
       three daemons: psad, kmsgsd, and psadwatchd.  psad is  responsible  for
       processing  all  packets  that  have  been  logged  by the firewall and
       applying the signature logic in order to determine what  type  of  scan
       has  been  leveraged  against the machine and/or network.  kmsgsd reads
       all messages that have been written to the /var/lib/psad/psadfifo named
       pipe   and  writes  any  message  that  matches  a  particular  regular
       expression  (or  string)  to  /var/log/psad/fwdata.   psadwatchd  is  a
       software watchdog that will restart any of the other two daemons should
       a daemon die for any reason.

OPTIONS

       -A, --Analyze-msgs
              Analyze an iptables logfile  for  scans  and  exit.   This  will
              generate  email  alerts  just  as  a normal running psad process
              would have for all logged scans.  By default the psad data  file
              /var/log/psad/fwdata  is  parsed for old scans, but any file can
              be specified through the use of the --messages-file command line
              option.   For  example  it might be useful to point psad at your
              /var/log/messages file.

       -i, --interface <interface>
              Specify the interface that psad will examine  for  iptables  log
              messages.   This interface will be the IN= interface for packets
              that are logged in the INPUT and FORWARD chains,  and  the  OUT=
              interface for packets logged in the OUTPUT chain.

       --sig-update
              Instruct  psad  to  download  the  latest  set of modified Snort
              signatures  from  http://www.cipherdyne.org/psad/signatures   so
              that  psad  can take advantage of signature updates before a new
              release is made.

       -D, --Dump-conf
              Dump the current psad config to STDOUT and exit.  Various pieces
              of  information such as the home network, alert email addresses,
              and DShield user id are removed from the resulting output so  it
              is safe to send to others.

       -F, --Flush
              Remove  any  auto-generated  firewall  block  rules  if psad was
              configured  to  automatically  respond   to   scans   (see   the
              ENABLE_AUTO_IDS variable in psad.conf).

       -S, --Status
              Display  the  status  of  any  psad processes that may or not be
              running.  The status output contains a listing of the number  of
              packets  that  have  been  processed  by psad, along with all IP
              addresses and corresponding danger levels that have scanned  the
              network.

       --status-ip <ip>
              Display  status  information  associated  with  ip  such  as the
              protocol packet counters as well as the last 10  packets  logged
              by iptables.

       --status-dl <dl>
              Display  status  information  only for scans that have reached a
              danger level of at least dl

       --status-summary
              Instruct psad to omit detailed IP information from --Status  and
              --Analyze modes.

       -m, --messages-file <file>
              This  option  is used to specify the file that will be parsed in
              analysis mode (see the --Analyze-msgs option).  The default path
              is the psad data file /var/log/psad/fwdata.

       --CSV  Instruct   psad   to   parse   iptables   log  messages  out  of
              /var/log/messages (by defult, but this path can be changed  with
              the  -m option), and print the packet fields on STDOUT in comma-
              separate value format.  This is useful for graphing iptables log
              data               with              AfterGlow              (see
              http://afterglow.sourceforge.net/index.html).

       --CSV-fields <tokens>
              Instruct psad to only include a specific  set  of  iptables  log
              message  fields  within the CSV output.  AfterGlow accepts up to
              three fields for its graph data, so the  most  common  usage  of
              this  option is "src dst dp" to print the source and destination
              IP addresses, and the destination port number.

       -K, --Kill
              Kill the current psad process along with psadwatchd and  kmsgsd.
              This  provides  a  quick and easy way to kill all psad processes
              without having to look in the process table  or  appeal  to  the
              psad-init script.

       -R, --Restart
              Restart  the currently running psad processes.  This option will
              preserve the command line options  that  were  supplied  to  the
              original psad process.

       -U, --USR1
              Send a running psad process a USR1 signal.  This will cause psad
              to  dump  the  contents  of  the  %Scan   hash   to   the   file
              "/var/log/psad/scan_hash.$$"  where  "$$"  represents the pid of
              the psad process.  This is mostly useful for debugging purposes,
              but  it  also  allows  the  administrator to peer into the %Scan
              hash, which is the primary data structure  used  to  store  scan
              data within system memory.

       -H, --HUP
              Send  all running psad daemons a HUP signal.  This will instruct
              the daemons to  re-read  their  respective  configuration  files
              without causing scan data to be lost in the process.

       -B, --Benchmark
              Run  psad  in  benchmark  mode.   By default benchmark mode will
              simulate a scan of 10,000 packets (see the --packets option) and
              then  report  the  elapsed time.  This is useful to see how fast
              psad can process packets on a specific machine.

       -p, --packets <packets>
              Specify the number of packets to use  in  benchmark  mode.   The
              default is 10,000 packets.

       -d, --debug
              Run  psad  in  debugging  mode.  This will automatically prevent
              psad from running as a daemon, and will print  the  contents  of
              the  %Scan  hash  and  a  few  other things on STDOUT at crucial
              points as psad executes.

       -c, --config <configuration-file>
              By default all of the psad makes use of the  configuration  file
              /etc/psad/psad.conf  for  almost  all  configuration parameters.
              psad can be made to override this path by specifying a different
              file on the command line with the --config option.

       --signatures <signatures-file>
              The  iptables  firewalling  code included within the linux 2.4.x
              kernel series has the ability to distinguish and log any of  the
              TCP  flags present within TCP packets that traverse the firewall
              interfaces.  psad makes use of this logging capability to detect
              several   types   of   TCP   scan   signatures  included  within
              /etc/psad/signatures.  The signatures were  originally  included
              within the snort intrusion detection system.  New signatures can
              be included and modifications to existing signatures can be made
              to  the  signature  file  and  psad will import the changes upon
              receiving a HUP signal  (see  the  --HUP  command  line  option)
              without  having  to restart the psad process.  psad also detects
              many UDP and  ICMP  signatures  that  were  originally  included
              within snort.

       -e, --email-analysis
              Send alert emails when run in --Analyze-msgs mode.  Depending on
              the size of the iptables  logfile,  using  the  --email-analysis
              option  could  extend  the  runtime of psad by quite a bit since
              normally both DNS and whois lookups will be issued against  each
              scanning  IP  address.   As  usual these lookups can be disabled
              with the --no-rdns and --no-whois options respectively.

       -w, --whois-analysis
              By default psad does not issue whois  lookups  when  running  in
              --Analyze-msgs  mode.  The --whois-analysis option will override
              this behavior (when run in analysis mode) and instruct  psad  to
              issue  whois  lookups  against  IP addresses from which scans or
              other suspect traffic has originated.

       --snort-type <type>
              Restrict the type of snort sids to type.   Allowed  types  match
              the  file  names  given  to  snort  rules  files such as "ddos",
              "backdoor", and "web-attacks".

       --snort-rdir <snort-rules-directory>
              Manually specify the directory where the snort rules  files  are
              located.  The default is /etc/psad/snort_rules.

       --passive-os-sigs <passive-os-sigs-file>
              Manually  specify  the  path  to  the  passive  operating system
              fingerprinting signatures file.  The default is  /etc/psad/posf.

       -a, --auto-dl <auto-dl-file>
              Occasionally  certain  IP  addresses  are  repeat  offenders and
              should automatically be given a higher danger level  than  would
              normally  be  assigned.   Additionally,  some  IP  addresses can
              always be ignored depending on your network  configuration  (the
              loopback  interface  127.0.0.1  might  be  a  good candidate for
              example).  /etc/psad/auto_dl provides an interface for  psad  to
              automatically   increase/decrease/ignore   scanning   IP  danger
              levels.  Modifications can be  made  to  auto_dl  (installed  by
              default  in  /etc/psad) and psad will import them without having
              to restart the psad process.

       --fw-search <fw_search-file>
              By default all of the psad makes  use  of  the  firewall  search
              configuration  file /etc/psad/fw_search.conf for firewall search
              mode and search strings.  psad can be made to override this path
              by  specifying  a  different  file  on the command line with the
              --fw-search option.

       --fw-list-auto
              List all rules in iptables chains that are used by psad in auto-
              blocking mode.

       --fw-analyze
              Analyze  the  local  iptables ruleset, send any alerts if errors
              are discovered, and then exit.

       --fw-del-chains
              By default, if ENABLE_AUTO_IDS is  set  to  "Y"  psad  will  not
              delete    the    auto-generated   iptables   chains   (see   the
              IPT_AUTO_CHAIN keywords in psad.conf) if the --Flush  option  is
              given.   The  --fw-del-chains option overrides this behavior and
              deletes  the  auto-blocking  chains  from  a  running   iptables
              firewall.

       --fw-dump
              Instruct  psad  to dump the contents of the iptables policy that
              is running on the local system.  All IP  addresses  are  removed
              from  the  resulting  output,  so it is safe to post to the psad
              list, or communicate to others.  This option is most often  used
              with --Dump-conf.

       --fw-block-ip <ip>
              Specify an IP address or network to add to the iptables controls
              that are auto-generated by psad.  This allows psad to manage the
              rule timeouts.

       --fw-rm-block-ip <ip>
              Specify  an  IP  address  or network to remove from the iptables
              controls that are auto-generated by psad.

       --fw-file <policy-file>
              Analyze  the  iptables  ruleset  contained  within   policy-file
              instead of the ruleset currently loaded on the local system.

       --CSV-regex <regex>
              Instruct  psad  to only print CSV data that matches the supplied
              regex.  This regex is used to match against each of  the  entire
              iptables log messages.

       --CSV-neg-regex <regex>
              Instruct  psad  to  only  print CSV data that does not match the
              supplied regex.  This regex is used to negatively match  against
              each of the entire iptables log messages.

       --CSV-uniq-lines
              Instruct psad to only print unique CSV data.  That is, each line
              printed in --CSV mode will be unique.

       --CSV-max-lines <num>
              Limit the number of CSV-formatted lines that psad  generates  on
              STDOUT.   This is useful to allow AfterGlow graphs to be created
              that are not too cluttered.

       --CSV-start-line <num>
              Specify the beginning line number to start parsing  out  of  the
              iptables log file in --CSV output mode.  This is useful for when
              the log file is extremely large, and you want to begin parsing a
              specific place within the file.  The default is begin parsing at
              the beginning of the file.

       --CSV-end-line <num>
              Specify the ending line number to stop parsing the iptables  log
              file in --CSV output mode.  This is useful for when the log file
              is extremely large, and you do not  want  psad  to  process  the
              entire thing.

       --gnuplot
              Enter  into Gnuplot mode whereby psad parses an iptables logfile
              and creates .gnu and .dat files that are suitable  for  graphing
              with Gnuplot.  The various --CSV command line arguments apply to
              plotting iptables log with Gnuplot.

       --gnuplot-template <file>
              Use a template file for all Gnuplot graphing directives (this is
              usually a .gnu file by convention).  Normally psad builds all of
              the graphing directives based on various --gnuplot command  line
              arguments,  but  the  --gnuplot-template  switch  allows  you to
              override this behavior.

       --gnuplot-file-prefix <file>
              Specify a prefix for the .gnu, .dat, and  .png  files  that  are
              generated  in  --gnuplot  mode.   So,  when  visualizing attacks
              captured in an iptables logfile (let’s say you are interested in
              port  scans),  you could use this option to have psad create the
              two files portscan.dat, portscan.gnu, and Gnuplot will create an
              additional  file  portscan.png  when  the  portscan.gnu  file is
              loaded.

       --gnuplot-x-label <label>
              Set the label associated with the x-axis.

       --gnuplot-x-range <range>
              Set the x-axis range.

       --gnuplot-y-label <label>
              Set the label associated with the y-axis.

       --gnuplot-y-range <range>
              Set the y-axis range.

       --gnuplot-z-label <label>
              Set the label associated with the z-axis (only  if  --gnuplot-3D
              is used).

       --gnuplot-z-range <range>
              Set the z-axis range. (only if --gnuplot-3D is used).

       --gnuplot-3D
              Generate   a  Gnuplot  splot  graph.   This  produces  a  three-
              dimensional graph.

       --gnuplot-view
              Set the viewing angle when graphing data in --gnuplot-3D mode.

       --gnuplot-title <title>
              Set the graph title for the Gnuplot graph.

       -I, --Interval <seconds>
              Specify the interval (in seconds) that psad should use to  check
              whether  or  not packets have been logged by the firewall.  psad
              will use the default of 15 seconds unless a different  value  is
              specified.

       -l, --log-server
              This option should be used if psad is being executed on a syslog
              logging server.  Running psad on a logging server requires  that
              check_firewall_rules()  and auto_psad_response() not be executed
              since the firewall is probably not being run locally.

       -V, --Version
              Print the psad version and exit.

       --no-daemon
              Do not run psad as a daemon.   This  option  will  display  scan
              alerts on STDOUT instead of emailing them out.

       --no-ipt-errors
              Occasionally    iptables   messages   written   by   syslog   to
              /var/lib/psad/psadfifo or to /var/log/messages do not conform to
              the  normal  firewall  logging  format if the kernel ring buffer
              used by klogd becomes full.  psad will write  these  message  to
              /var/log/psad/errs/fwerrorlog by default.  Passing the --no-ipt-
              errors option will make psad ignore all such erroneous  firewall
              messages.

       --no-whois
              By  default  psad  will  issue a whois query against any IP from
              which a scan has originated, but this can be disabled  with  the
              --no-whois command line argument.

       --no-fwcheck
              psad  performs  a rudimentary check of the firewall ruleset that
              exists on the machine on which psad  is  deployed  to  determine
              whether or not the firewall has a compatible configuration (i.e.
              iptables has been configured to log packets).  Passing the --no-
              fwcheck or --log-server options will disable this check.

       --no-auto-dl
              Disable  auto  danger  level assignments.  This will instruct to
              not  import  any  IP  addresses  or  networks  from   the   file
              /etc/psad/auto_dl.

       --no-snort-sids
              Disable  snort  sid processing mode.  This will instruct psad to
              not import snort rules (for  snort  SID  matching  in  a  policy
              generated by fwsnort ).

       --no-signatures
              Disable   psad   signature   processing.    Note  that  this  is
              independent of snort SID matching in iptables messages generated
              by fwsnort and also from the ICMP type/code validation routines.

       --no-icmp-types
              Disable ICMP type and code field validation.

       --no-passive-os
              By default psad will attempt to passively (i.e. without  sending
              any  packets) fingerprint the remote operating system from which
              a scan originates.   Passing  the  --no-passive-os  option  will
              disable this feature.

       --no-rdns
              psad  normally  attempts  to  find  the  name  associated with a
              scanning IP address, but this feature can be disabled  with  the
              --no-rdns command line argument.

       --no-kmsgsd
              Disable  startup  of  kmsgsd.   This  option  is most useful for
              debugging with individual iptables messages so that new messages
              are not appended to the /var/log/psad/fwdata file.

       --no-netstat
              By default for iptables firewalls psad will determine whether or
              not your machine  is  listening  on  a  port  for  which  a  TCP
              signature  has  been  matched.  Specifying --no-netstat disables
              this feature.

       -h, --help
              Print a page of usage information for psad and exit.

FILES

       /etc/psad/psad.conf
              The main psad configuration file  which  contains  configuration
              variables mentioned in the section below.

       /etc/psad/fw_search.conf
              Used  to  configure  the strategy both psad and kmsgsd employ to
              parse iptables messages.  Using configuration  directive  within
              this file, psad can be configured to parse all iptables messages
              or only those that match specific log prefix  strings  (see  the
              --log-prefix option to iptables).

       /etc/psad/signatures
              Contains  the  signatures  psad uses to recognize nasty traffic.
              The signatures are written in  a  manner  similar  to  the  *lib
              signature files used in the snort IDS.

       /etc/psad/icmp_types
              Contains all valid ICMP types and corresponding codes as defined
              by RFC 792.  By default,  ICMP  packets  are  validated  against
              these  values  and  an alert will be generated if a non-matching
              ICMP packet is logged by iptables.

       /etc/psad/snort_rules/*.rules
              Snort rules files that are consulted by default unless the --no-
              snort-sids commmand line argument is given.

       /etc/psad/auto_dl
              Contains a listing of any IP addresses that should be assigned a
              danger level  based  on  any  traffic  that  is  logged  by  the
              firewall.   The  syntax  is  "<IP address> <danger level>" where
              <danger level> is an integer from 0 to  5,  with  0  meaning  to
              ignore  all  traffic  from  <IP address>, and 5 is to assign the
              highest danger level to <IP address>.

       /etc/psad/posf
              Contains   a   listing   of   all   passive   operating   system
              fingerprinting  signatures.   These  signatures  include  packet
              lengths, ttl, tos, IP ID, and TCP window size  values  that  are
              specific to various operating systems.

PSAD CONFIGURATION VARIABLES

       This   section   describes   what  each  of  the  more  important  psad
       configuration variables do and how they  can  be  tuned  to  meet  your
       needs.   Most  of  the  variables are located in the psad configuration
       file  /etc/psad/psad.conf  but  the  FW_SEARCH_ALL  and   FW_MSG_SEARCH
       variables  are  located  in  the  file  /etc/psad/fw_search.conf.  Each
       variable is assigned sensible defaults for most  network  architectures
       during  the  install process.  More information on psad config keywords
       may be found at: http://www.cipherdyne.org/psad/config.html

       EMAIL_ADDRESSES
              Contains a comma-separated list  of  email  addresses  to  which
              email alerts will be sent.  The default is "root@localhost".

       HOSTNAME
              Defines  the  hostname  of the machine on which psad is running.
              This will be used in the email alerts generated by psad.

       HOME_NET
              Define the internal network(s) that are connected to  the  local
              system.   This  will  be  used in the signature matching code to
              determine whether traffic matches snort rules, which  invariably
              contain a source and destination network.  Multiple networks are
              supported as a comma separated list, and each network should  be
              specified  in  CIDR notation.  Normally the network(s) contained
              in the HOME_NET variable should be  directly  connected  to  the
              machine that is running psad.

       IMPORT_OLD_SCANS
              Preserve  scan  data  across  restarts  of  psad  or even across
              reboots of the machine.  This is accomplished by  importing  the
              data  contained  in  the  filesystem cache psad writes to during
              normal operation back into  memory  as  psad  is  started.   The
              filesystem   cache   data  in  contained  within  the  directory
              /var/log/psad.

       FW_SEARCH_ALL
              Defines the search mode psad uses to  parse  iptables  messages.
              By  default  FW_SEARCH_ALL  is  set  to  "Y" since normally most
              people want all iptables log messages  to  be  parsed  for  scan
              activity.   However,  if  FW_SEARCH_ALL is set to "N", psad will
              only parse those iptables log messages that match certain search
              strings  that  appear  in  iptables  logs  with the --log-prefix
              option.  This is useful for restricting psad to only operate  on
              specific  iptables  chains  or  rules.  The strings that will be
              searched for are defined with the  FW_MSG_SEARCH  variable  (see
              below).   The  FW_SEARCH_ALL  variable  is  defined  in the file
              /etc/psad/fw_search.conf since it is referenced by both psad and
              kmsgsd.

       FW_MSG_SEARCH
              Defines  a  set  of  search  strings  that psad uses to identify
              iptables messages that  should  be  parsed  for  scan  activity.
              These  search  strings  should  match  the  log  prefix  strings
              specified in the iptables ruleset with the --log-prefix  option,
              and  the  default  value for FW_MSG_SEARCH is "DROP".  Note that
              psad  normally  parses  all  iptables  messages,  and   so   the
              FW_MSG_SEARCH  variable  is  only  needed  if FW_SEARCH_ALL (see
              above) is set to "N".  The FW_MSG_SEARCH variable is  referenced
              by   both   psad   and   kmsgsd   so   it   lives  in  the  file
              /etc/psad/fw_search.conf.

       SYSLOG_DAEMON
              Define the specific syslog daemon  that  psad  should  interface
              with.   Psad  supports three syslog daemons: syslogd, syslog-ng,
              and metalog.  The default value of SYSLOG_DAEMON is syslogd.

       IGNORE_PORTS
              Specify a list  of  port  ranges  and/or  individual  ports  and
              corresponding  protocols that psad should complete ignore.  This
              is particularly useful for ignore ports that are used as a  part
              of     a     port    knocking    scheme    (such    as    fwknop
              http://www.cipherdyne.org/fwknop/)  for  network  authentication
              since  such  log  messages  generated  by the knock sequence may
              otherwise be interpreted as a scan.  Multiple ports and/or  port
              ranges   may  be  specified  as  a  comma-separated  list,  e.g.
              "tcp/22, tcp/61000-61356, udp/53".

       ENABLE_PERSISTENCE
              If "Y", psad will keep all scans in  memory  and  not  let  them
              timeout.   This  can  help  discover  stealthy  scans  where  an
              attacker tries to slip beneath IDS thresholds by only scanning a
              few ports over a long period of time.  ENABLE_PERSISTENCE is set
              to "Y" by default.

       SCAN_TIMEOUT
              If ENABLE_PERSISTENCE is "N" then psad will use the value set by
              SCAN_TIMEOUT   to   remove   packets  from  the  scan  threshold
              calculation.  The default is 3600 seconds (1 hour).

       DANGER_LEVEL{1,2,3,4,5}
              psad uses a scoring system to keep track of the severity a scans
              reaches  (represented  as  a  "danger  level")  over  time.  The
              DANGER_LEVEL{n} variables define the number of packets that must
              be   dropped  by  the  firewall  before  psad  will  assign  the
              respective danger level  to  the  scan.   A  scan  may  also  be
              assigned  a  danger  level  if  the  scan  matches  a particular
              signature contained in the  signatures  file.   There  are  five
              possible  danger  levels  with one being the lowest and five the
              highest.  Note there are several factors that can influence  how
              danger  levels  are  calculated: whether or not a scan matches a
              signature  listed  in   /etc/psad/signatures,   the   value   of
              PORT_RANGE_SCAN_THRESHOLD  (see  below),  whether  or not a scan
              comes from an IP that is listed in the  /etc/psad/auto_dl  file,
              and  finally  whether  or  not  scans  are allowed to timeout as
              determined by SCAN_TIMEOUT above.  If a signature is matched  or
              the  scanning  IP  is  listed  in  /etc/psad/auto_dl,  then  the
              corresponding danger level  is  automatically  assigned  to  the
              scan.

       PORT_RANGE_SCAN_THRESHOLD
              Defines  the  minimum difference between the lowest port and the
              highest port scanned before an alert is sent (the default  is  1
              which  means that at least two ports must be scanned to generate
              an alert).  For example, suppose an ip repeatedly scans a single
              port  for  which  there  is  no special signature in signatures.
              Then if PORT_RANGE_SCAN_THRESHOLD=1, psad  will  never  send  an
              alert for this "scan" no matter how many packets are sent to the
              port (i.e.  no matter what the value of DANGER_LEVEL1 is).   The
              reason  for the default of 1 is that a "scan" usually means that
              at least two ports are probed, but if you want psad to be  extra
              paranoid  you  can  set  PORT_RANGE_SCAN_THRESHOLD=0 to alert on
              scans to single ports (as long as the  number  of  packets  also
              exceeds DANGER_LEVEL1).

       SHOW_ALL_SIGNATURES
              If  "Y", psad will display all signatures detected from a single
              scanning IP since a scan was  first  detected  instead  of  just
              displaying  newly-detected  signatures.   SHOW_ALL_SIGNATURES is
              set to "N" by default.  All signatures are listed  in  the  file
              /etc/psad/signatures.

       SNORT_SID_STR
              Defines  the  string  kmsgsd  will  search  for  in iptables log
              messages that are generated by iptables rules designed to detect
              snort    rules.     The   default   is   "SID".    See   fwsnort
              (http://www.cipherdyne.org/fwsnort/).

       ENABLE_DSHIELD_ALERTS
              Enable dshield alerting mode.  This will send a  parsed  version
              of  iptables  log  messages  to  dshield.org  which  is a (free)
              distributed intrusion detection service.  For more  information,
              see http://www.dshield.org/

       IGNORE_CONNTRACK_BUG_PKTS
              If  "Y",  all TCP packets that have the ACK or RST flag bits set
              will be ignored by psad since usually we see such packets  being
              blocked  as  a  result  of the iptables connection tracking bug.
              Note there are no signatures that make use of the RST  flag  and
              very few that use ACK flag.

       ALERT_ALL
              If  "Y", send email for all new bad packets instead of just when
              a danger level increases.  ALERT_ALL is set to "Y" by default.

       PSAD_EMAIL_LIMIT
              Defines the maximum number of emails that will  be  sent  for  a
              single  scanning  IP  (default  is 50).  This variable gives you
              some protection from psad sending  countless  alerts  if  an  IP
              scans  your  machine constantly.  psad will send a special alert
              if an IP has exceeded the email limit.  If  PSAD_EMAIL_LIMIT  is
              set  to  zero,  then  psad  will ignore the limit and send alert
              emails indefinitely for any scanning ip.

       EMAIL_ALERT_DANGER_LEVEL
              Defines the danger level a scan must reach before any  alert  is
              sent.  This variable is set to 1 by default.

       ENABLE_AUTO_IDS
              psad has the capability of dynamically blocking all traffic from
              an IP that has reached a  (configurable)  danger  level  through
              modification  of  iptables  or  tcpwrapper rulesets.  IMPORTANT:
              This feature is disabled by default since it is possible for  an
              attacker  to  spoof  packets  from  a well known (web)site in an
              effort to make it look as  though  the  site  is  scanning  your
              machine, and then psad will consequently block all access to it.
              Also, psad works by parsing firewall messages  for  packets  the
              firewall  has  already  dropped, so the "scans" are unsuccessful
              anyway.  However, some administrators prefer to take  this  risk
              anyway  reasoning  that  they  can always review which sites are
              being blocked and manually remove the block  if  necessary  (see
              the --Flush option).  Your mileage will vary.

       AUTO_IDS_DANGER_LEVEL
              Defines  the  danger  level  a  scan must reach before psad will
              automatically block the IP (ENABLE_AUTO_IDS must be set to "Y").

EXAMPLES

       The following examples illustrate the command line arguments that could
       be supplied to psad in a few situations:

       Signature checking, passive OS fingerprinting, and automatic IP  danger
       level  assignments are enabled by default without having to specify any
       command line arguments (best for most situations):

       # psad

       Same as above, but this time we use the init script to start psad:

       # /etc/init.d/psad start

       Use psad as a forensics tool to analyze an old iptables  logfile  (psad
       defaults  to  analyzing  the /var/log/messages file if the -m option is
       not specified):

       # psad -A -m <iptables logfile>

       Run psad in forensics mode, but limit its operations to a  specific  IP
       address "10.1.1.1":

       # psad -A -m <iptables logfile> --analysis-fields src:10.1.1.1

       Generate graphs of scan data using AfterGlow:

       #  psad  --CSV  --CSV-fields  src  dst  dp  --CSV-max 1000 -m <iptables
       logfile> | perl afterglow.pl  -c  color.properties  |  neato  -Tgif  -o
       netfilter_graph.gif

       The  psad.conf,  signatures,  and  auto_dl  files  are normally located
       within the /etc/psad/ directory, but the paths to each of  these  files
       can be changed:

       # psad -c <config file> -s <signatures file> -a <auto ips file>

       Disable  the firewall check and the local port lookup subroutines; most
       useful if psad is deployed on a syslog logging server:

       # psad --log-server --no-netstat

       Disable reverse dns and whois lookups of scanning  IP  addresses;  most
       useful if speed of psad is the main concern:

       # psad --no-rdns --no-whois

DEPENDENCIES

       psad  requires that iptables is configured with a "drop and log" policy
       for any traffic that  is  not  explicitly  allowed  through.   This  is
       consistent  with  a secure network configuration since all traffic that
       has not been explicitly allowed  should  be  blocked  by  the  firewall
       ruleset.   By  default,  psad  attempts to determine whether or not the
       firewall has been configured in this way.  This feature can be disabled
       with the --no-fwcheck or --log-server options.  The --log-server option
       is useful if psad is  running  on  a  syslog  logging  server  that  is
       separate  from  the  firewall.   For  more  information  on  compatible
       iptables rulesets, see the FW_EXAMPLE_RULES file that is  bundled  with
       the psad source distribution.

       psad  also  requires  that  syslog be configured to write all kern.info
       messages to the named pipe /var/lib/psad/psadfifo.  A simple

              echo -ekern.info |/var/lib/psad/psadfifo>> /etc/syslog.conf

       will do.  Remember also to restart syslog after  the  changes  to  this
       file.

DIAGNOSTICS

       The --debug option can be used to display crucial information about the
       psad data structures  on  STDOUT  as  a  scan  generates  firewall  log
       messages.  --debug disables daemon mode execution.

       Another  more  effective way to peer into the runtime execution of psad
       is to send (as root) a USR1 signal to the psad process which will cause
       psad    to    dump    the    contents    of    the    %Scan   hash   to
       /var/log/psad/scan_hash.$$ where $$ represents  the  pid  of  the  psad
       process.

SEE ALSO

       iptables(8),  kmsgsd(8),  psadwatchd(8), fwsnort(8), snort(8), nmap(1),
       p0f(1), gnuplot(1)

AUTHOR

       Michael Rash <mbr@cipherdyne.org>

CONTRIBUTORS

       Many  people  who  are  active  in  the  open  source  community   have
       contributed  to  psad.   See  the  CREDITS file in the psad sources, or
       visit http://www.cipherdyne.org/psad/docs/contributors.html to view the
       online list of contributors.

BUGS

       Send  bug  reports  to mbr@cipherdyne.org.  Suggestions and/or comments
       are always welcome as well.

       For iptables firewalls as  of  Linux  kernel  version  2.4.26,  if  the
       ip_conntrack  module  is  loaded  (or compiled into the kernel) and the
       firewall has been configured to keep state of connections, occasionally
       packets  that are supposed to be part of normal TCP traffic will not be
       correctly identified due to a bug in the firewall  state  timeouts  and
       hence dropped.  Such packets will then be interpreted as a scan by psad
       even though they are not part of any malicious activity.   Fortunately,
       an   interim   fix   for   this   problem   is  to  simply  extend  the
       TCP_CONNTRACK_CLOSE_WAIT           timeout           value           in
       linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c  from 60 seconds to 2
       minutes, and a set of kernel patches is included  within  the  patches/
       directory  in  the  psad  sources  to  change this.  (Requires a kernel
       recompile of course; see  the  Kernel-HOWTO.)   Also,  by  default  the
       IGNORE_CONNTRACK_BUG_PKTS  variable  is  set  to "Y" in psad.conf which
       causes psad to ignore all TCP packets that have the ACK bit set  unless
       the packets match a specific signature.

DISTRIBUTION

       psad is distributed under the GNU General Public License (GPL), and the
       latest version may be downloaded from: http://www.cipherdyne.org/