NAME
psad - The Port Scan Attack Detector
SYNOPSIS
psad [options]
DESCRIPTION
psad makes use of iptables log messages to detect, alert, and
(optionally) block port scans and other suspect traffic. For TCP scans
psad analyzes TCP flags to determine the scan type (syn, fin, xmas,
etc.) and corresponding command line options that could be supplied to
nmap to generate such a scan. In addition, psad makes use of many TCP,
UDP, and ICMP signatures contained within the Snort intrusion detection
system (see http://www.snort.org/) to detect suspicious network traffic
such as probes for common backdoors, DDoS tools, OS fingerprinting
attempts, and more. By default psad also provides alerts for snort
rules that are detected directly by iptables through the use of a
ruleset generated by fwsnort (http://www.cipherdyne.org/fwsnort/).
This enables psad to send alerts for application layer attacks. psad
features a set of highly configurable danger thresholds (with sensible
defaults provided) that allow the administrator to define what
constitutes a port scan or other suspect traffic. Email alerts sent by
psad contain the scanning ip, number of packets sent to each port, any
TCP, UDP, or ICMP signatures that have been matched (e.g. "NMAP XMAS
scan"), the scanned port range, the current danger level (from 1 to 5),
reverse dns info, and whois information. psad also makes use of
various packet header fields associated with TCP SYN packets to
passively fingerprint remote operating systems (in a manner similar to
the p0f fingerprinter) from which scans originate. This requires the
use of the --log-tcp-options argument for iptables logging rules; if
this option is not used, psad will fall back to a fingerprinting method
that makes use of packet length, TTL and TOS values, IP ID, and TCP
window sizes.
psad configures syslog to write all kern.info messages to a named pipe
/var/lib/psad/psadfifo and then reads all messages out of the pipe that
are matched by a string designed to catch any packets that have been
logged (and possibly dropped) by the firewall. In this way psad is
supplied with a pure data stream that exclusively contains packets that
the firewall has deemed unfit to enter the network. psad consists of
three daemons: psad, kmsgsd, and psadwatchd. psad is responsible for
processing all packets that have been logged by the firewall and
applying the signature logic in order to determine what type of scan
has been leveraged against the machine and/or network. kmsgsd reads
all messages that have been written to the /var/lib/psad/psadfifo named
pipe and writes any message that matches a particular regular
expression (or string) to /var/log/psad/fwdata. psadwatchd is a
software watchdog that will restart any of the other two daemons should
a daemon die for any reason.
OPTIONS
-A, --Analyze-msgs
Analyze an iptables logfile for scans and exit. This will
generate email alerts just as a normal running psad process
would have for all logged scans. By default the psad data file
/var/log/psad/fwdata is parsed for old scans, but any file can
be specified through the use of the --messages-file command line
option. For example it might be useful to point psad at your
/var/log/messages file.
-i, --interface <interface>
Specify the interface that psad will examine for iptables log
messages. This interface will be the IN= interface for packets
that are logged in the INPUT and FORWARD chains, and the OUT=
interface for packets logged in the OUTPUT chain.
--sig-update
Instruct psad to download the latest set of modified Snort
signatures from http://www.cipherdyne.org/psad/signatures so
that psad can take advantage of signature updates before a new
release is made.
-D, --Dump-conf
Dump the current psad config to STDOUT and exit. Various pieces
of information such as the home network, alert email addresses,
and DShield user id are removed from the resulting output so it
is safe to send to others.
-F, --Flush
Remove any auto-generated firewall block rules if psad was
configured to automatically respond to scans (see the
ENABLE_AUTO_IDS variable in psad.conf).
-S, --Status
Display the status of any psad processes that may or not be
running. The status output contains a listing of the number of
packets that have been processed by psad, along with all IP
addresses and corresponding danger levels that have scanned the
network.
--status-ip <ip>
Display status information associated with ip such as the
protocol packet counters as well as the last 10 packets logged
by iptables.
--status-dl <dl>
Display status information only for scans that have reached a
danger level of at least dl
--status-summary
Instruct psad to omit detailed IP information from --Status and
--Analyze modes.
-m, --messages-file <file>
This option is used to specify the file that will be parsed in
analysis mode (see the --Analyze-msgs option). The default path
is the psad data file /var/log/psad/fwdata.
--CSV Instruct psad to parse iptables log messages out of
/var/log/messages (by defult, but this path can be changed with
the -m option), and print the packet fields on STDOUT in comma-
separate value format. This is useful for graphing iptables log
data with AfterGlow (see
http://afterglow.sourceforge.net/index.html).
--CSV-fields <tokens>
Instruct psad to only include a specific set of iptables log
message fields within the CSV output. AfterGlow accepts up to
three fields for its graph data, so the most common usage of
this option is "src dst dp" to print the source and destination
IP addresses, and the destination port number.
-K, --Kill
Kill the current psad process along with psadwatchd and kmsgsd.
This provides a quick and easy way to kill all psad processes
without having to look in the process table or appeal to the
psad-init script.
-R, --Restart
Restart the currently running psad processes. This option will
preserve the command line options that were supplied to the
original psad process.
-U, --USR1
Send a running psad process a USR1 signal. This will cause psad
to dump the contents of the %Scan hash to the file
"/var/log/psad/scan_hash.$$" where "$$" represents the pid of
the psad process. This is mostly useful for debugging purposes,
but it also allows the administrator to peer into the %Scan
hash, which is the primary data structure used to store scan
data within system memory.
-H, --HUP
Send all running psad daemons a HUP signal. This will instruct
the daemons to re-read their respective configuration files
without causing scan data to be lost in the process.
-B, --Benchmark
Run psad in benchmark mode. By default benchmark mode will
simulate a scan of 10,000 packets (see the --packets option) and
then report the elapsed time. This is useful to see how fast
psad can process packets on a specific machine.
-p, --packets <packets>
Specify the number of packets to use in benchmark mode. The
default is 10,000 packets.
-d, --debug
Run psad in debugging mode. This will automatically prevent
psad from running as a daemon, and will print the contents of
the %Scan hash and a few other things on STDOUT at crucial
points as psad executes.
-c, --config <configuration-file>
By default all of the psad makes use of the configuration file
/etc/psad/psad.conf for almost all configuration parameters.
psad can be made to override this path by specifying a different
file on the command line with the --config option.
--signatures <signatures-file>
The iptables firewalling code included within the linux 2.4.x
kernel series has the ability to distinguish and log any of the
TCP flags present within TCP packets that traverse the firewall
interfaces. psad makes use of this logging capability to detect
several types of TCP scan signatures included within
/etc/psad/signatures. The signatures were originally included
within the snort intrusion detection system. New signatures can
be included and modifications to existing signatures can be made
to the signature file and psad will import the changes upon
receiving a HUP signal (see the --HUP command line option)
without having to restart the psad process. psad also detects
many UDP and ICMP signatures that were originally included
within snort.
-e, --email-analysis
Send alert emails when run in --Analyze-msgs mode. Depending on
the size of the iptables logfile, using the --email-analysis
option could extend the runtime of psad by quite a bit since
normally both DNS and whois lookups will be issued against each
scanning IP address. As usual these lookups can be disabled
with the --no-rdns and --no-whois options respectively.
-w, --whois-analysis
By default psad does not issue whois lookups when running in
--Analyze-msgs mode. The --whois-analysis option will override
this behavior (when run in analysis mode) and instruct psad to
issue whois lookups against IP addresses from which scans or
other suspect traffic has originated.
--snort-type <type>
Restrict the type of snort sids to type. Allowed types match
the file names given to snort rules files such as "ddos",
"backdoor", and "web-attacks".
--snort-rdir <snort-rules-directory>
Manually specify the directory where the snort rules files are
located. The default is /etc/psad/snort_rules.
--passive-os-sigs <passive-os-sigs-file>
Manually specify the path to the passive operating system
fingerprinting signatures file. The default is /etc/psad/posf.
-a, --auto-dl <auto-dl-file>
Occasionally certain IP addresses are repeat offenders and
should automatically be given a higher danger level than would
normally be assigned. Additionally, some IP addresses can
always be ignored depending on your network configuration (the
loopback interface 127.0.0.1 might be a good candidate for
example). /etc/psad/auto_dl provides an interface for psad to
automatically increase/decrease/ignore scanning IP danger
levels. Modifications can be made to auto_dl (installed by
default in /etc/psad) and psad will import them without having
to restart the psad process.
--fw-search <fw_search-file>
By default all of the psad makes use of the firewall search
configuration file /etc/psad/fw_search.conf for firewall search
mode and search strings. psad can be made to override this path
by specifying a different file on the command line with the
--fw-search option.
--fw-list-auto
List all rules in iptables chains that are used by psad in auto-
blocking mode.
--fw-analyze
Analyze the local iptables ruleset, send any alerts if errors
are discovered, and then exit.
--fw-del-chains
By default, if ENABLE_AUTO_IDS is set to "Y" psad will not
delete the auto-generated iptables chains (see the
IPT_AUTO_CHAIN keywords in psad.conf) if the --Flush option is
given. The --fw-del-chains option overrides this behavior and
deletes the auto-blocking chains from a running iptables
firewall.
--fw-dump
Instruct psad to dump the contents of the iptables policy that
is running on the local system. All IP addresses are removed
from the resulting output, so it is safe to post to the psad
list, or communicate to others. This option is most often used
with --Dump-conf.
--fw-block-ip <ip>
Specify an IP address or network to add to the iptables controls
that are auto-generated by psad. This allows psad to manage the
rule timeouts.
--fw-rm-block-ip <ip>
Specify an IP address or network to remove from the iptables
controls that are auto-generated by psad.
--fw-file <policy-file>
Analyze the iptables ruleset contained within policy-file
instead of the ruleset currently loaded on the local system.
--CSV-regex <regex>
Instruct psad to only print CSV data that matches the supplied
regex. This regex is used to match against each of the entire
iptables log messages.
--CSV-neg-regex <regex>
Instruct psad to only print CSV data that does not match the
supplied regex. This regex is used to negatively match against
each of the entire iptables log messages.
--CSV-uniq-lines
Instruct psad to only print unique CSV data. That is, each line
printed in --CSV mode will be unique.
--CSV-max-lines <num>
Limit the number of CSV-formatted lines that psad generates on
STDOUT. This is useful to allow AfterGlow graphs to be created
that are not too cluttered.
--CSV-start-line <num>
Specify the beginning line number to start parsing out of the
iptables log file in --CSV output mode. This is useful for when
the log file is extremely large, and you want to begin parsing a
specific place within the file. The default is begin parsing at
the beginning of the file.
--CSV-end-line <num>
Specify the ending line number to stop parsing the iptables log
file in --CSV output mode. This is useful for when the log file
is extremely large, and you do not want psad to process the
entire thing.
--gnuplot
Enter into Gnuplot mode whereby psad parses an iptables logfile
and creates .gnu and .dat files that are suitable for graphing
with Gnuplot. The various --CSV command line arguments apply to
plotting iptables log with Gnuplot.
--gnuplot-template <file>
Use a template file for all Gnuplot graphing directives (this is
usually a .gnu file by convention). Normally psad builds all of
the graphing directives based on various --gnuplot command line
arguments, but the --gnuplot-template switch allows you to
override this behavior.
--gnuplot-file-prefix <file>
Specify a prefix for the .gnu, .dat, and .png files that are
generated in --gnuplot mode. So, when visualizing attacks
captured in an iptables logfile (let’s say you are interested in
port scans), you could use this option to have psad create the
two files portscan.dat, portscan.gnu, and Gnuplot will create an
additional file portscan.png when the portscan.gnu file is
loaded.
--gnuplot-x-label <label>
Set the label associated with the x-axis.
--gnuplot-x-range <range>
Set the x-axis range.
--gnuplot-y-label <label>
Set the label associated with the y-axis.
--gnuplot-y-range <range>
Set the y-axis range.
--gnuplot-z-label <label>
Set the label associated with the z-axis (only if --gnuplot-3D
is used).
--gnuplot-z-range <range>
Set the z-axis range. (only if --gnuplot-3D is used).
--gnuplot-3D
Generate a Gnuplot splot graph. This produces a three-
dimensional graph.
--gnuplot-view
Set the viewing angle when graphing data in --gnuplot-3D mode.
--gnuplot-title <title>
Set the graph title for the Gnuplot graph.
-I, --Interval <seconds>
Specify the interval (in seconds) that psad should use to check
whether or not packets have been logged by the firewall. psad
will use the default of 15 seconds unless a different value is
specified.
-l, --log-server
This option should be used if psad is being executed on a syslog
logging server. Running psad on a logging server requires that
check_firewall_rules() and auto_psad_response() not be executed
since the firewall is probably not being run locally.
-V, --Version
Print the psad version and exit.
--no-daemon
Do not run psad as a daemon. This option will display scan
alerts on STDOUT instead of emailing them out.
--no-ipt-errors
Occasionally iptables messages written by syslog to
/var/lib/psad/psadfifo or to /var/log/messages do not conform to
the normal firewall logging format if the kernel ring buffer
used by klogd becomes full. psad will write these message to
/var/log/psad/errs/fwerrorlog by default. Passing the --no-ipt-
errors option will make psad ignore all such erroneous firewall
messages.
--no-whois
By default psad will issue a whois query against any IP from
which a scan has originated, but this can be disabled with the
--no-whois command line argument.
--no-fwcheck
psad performs a rudimentary check of the firewall ruleset that
exists on the machine on which psad is deployed to determine
whether or not the firewall has a compatible configuration (i.e.
iptables has been configured to log packets). Passing the --no-
fwcheck or --log-server options will disable this check.
--no-auto-dl
Disable auto danger level assignments. This will instruct to
not import any IP addresses or networks from the file
/etc/psad/auto_dl.
--no-snort-sids
Disable snort sid processing mode. This will instruct psad to
not import snort rules (for snort SID matching in a policy
generated by fwsnort ).
--no-signatures
Disable psad signature processing. Note that this is
independent of snort SID matching in iptables messages generated
by fwsnort and also from the ICMP type/code validation routines.
--no-icmp-types
Disable ICMP type and code field validation.
--no-passive-os
By default psad will attempt to passively (i.e. without sending
any packets) fingerprint the remote operating system from which
a scan originates. Passing the --no-passive-os option will
disable this feature.
--no-rdns
psad normally attempts to find the name associated with a
scanning IP address, but this feature can be disabled with the
--no-rdns command line argument.
--no-kmsgsd
Disable startup of kmsgsd. This option is most useful for
debugging with individual iptables messages so that new messages
are not appended to the /var/log/psad/fwdata file.
--no-netstat
By default for iptables firewalls psad will determine whether or
not your machine is listening on a port for which a TCP
signature has been matched. Specifying --no-netstat disables
this feature.
-h, --help
Print a page of usage information for psad and exit.
FILES
/etc/psad/psad.conf
The main psad configuration file which contains configuration
variables mentioned in the section below.
/etc/psad/fw_search.conf
Used to configure the strategy both psad and kmsgsd employ to
parse iptables messages. Using configuration directive within
this file, psad can be configured to parse all iptables messages
or only those that match specific log prefix strings (see the
--log-prefix option to iptables).
/etc/psad/signatures
Contains the signatures psad uses to recognize nasty traffic.
The signatures are written in a manner similar to the *lib
signature files used in the snort IDS.
/etc/psad/icmp_types
Contains all valid ICMP types and corresponding codes as defined
by RFC 792. By default, ICMP packets are validated against
these values and an alert will be generated if a non-matching
ICMP packet is logged by iptables.
/etc/psad/snort_rules/*.rules
Snort rules files that are consulted by default unless the --no-
snort-sids commmand line argument is given.
/etc/psad/auto_dl
Contains a listing of any IP addresses that should be assigned a
danger level based on any traffic that is logged by the
firewall. The syntax is "<IP address> <danger level>" where
<danger level> is an integer from 0 to 5, with 0 meaning to
ignore all traffic from <IP address>, and 5 is to assign the
highest danger level to <IP address>.
/etc/psad/posf
Contains a listing of all passive operating system
fingerprinting signatures. These signatures include packet
lengths, ttl, tos, IP ID, and TCP window size values that are
specific to various operating systems.
PSAD CONFIGURATION VARIABLES
This section describes what each of the more important psad
configuration variables do and how they can be tuned to meet your
needs. Most of the variables are located in the psad configuration
file /etc/psad/psad.conf but the FW_SEARCH_ALL and FW_MSG_SEARCH
variables are located in the file /etc/psad/fw_search.conf. Each
variable is assigned sensible defaults for most network architectures
during the install process. More information on psad config keywords
may be found at: http://www.cipherdyne.org/psad/config.html
EMAIL_ADDRESSES
Contains a comma-separated list of email addresses to which
email alerts will be sent. The default is "root@localhost".
HOSTNAME
Defines the hostname of the machine on which psad is running.
This will be used in the email alerts generated by psad.
HOME_NET
Define the internal network(s) that are connected to the local
system. This will be used in the signature matching code to
determine whether traffic matches snort rules, which invariably
contain a source and destination network. Multiple networks are
supported as a comma separated list, and each network should be
specified in CIDR notation. Normally the network(s) contained
in the HOME_NET variable should be directly connected to the
machine that is running psad.
IMPORT_OLD_SCANS
Preserve scan data across restarts of psad or even across
reboots of the machine. This is accomplished by importing the
data contained in the filesystem cache psad writes to during
normal operation back into memory as psad is started. The
filesystem cache data in contained within the directory
/var/log/psad.
FW_SEARCH_ALL
Defines the search mode psad uses to parse iptables messages.
By default FW_SEARCH_ALL is set to "Y" since normally most
people want all iptables log messages to be parsed for scan
activity. However, if FW_SEARCH_ALL is set to "N", psad will
only parse those iptables log messages that match certain search
strings that appear in iptables logs with the --log-prefix
option. This is useful for restricting psad to only operate on
specific iptables chains or rules. The strings that will be
searched for are defined with the FW_MSG_SEARCH variable (see
below). The FW_SEARCH_ALL variable is defined in the file
/etc/psad/fw_search.conf since it is referenced by both psad and
kmsgsd.
FW_MSG_SEARCH
Defines a set of search strings that psad uses to identify
iptables messages that should be parsed for scan activity.
These search strings should match the log prefix strings
specified in the iptables ruleset with the --log-prefix option,
and the default value for FW_MSG_SEARCH is "DROP". Note that
psad normally parses all iptables messages, and so the
FW_MSG_SEARCH variable is only needed if FW_SEARCH_ALL (see
above) is set to "N". The FW_MSG_SEARCH variable is referenced
by both psad and kmsgsd so it lives in the file
/etc/psad/fw_search.conf.
SYSLOG_DAEMON
Define the specific syslog daemon that psad should interface
with. Psad supports three syslog daemons: syslogd, syslog-ng,
and metalog. The default value of SYSLOG_DAEMON is syslogd.
IGNORE_PORTS
Specify a list of port ranges and/or individual ports and
corresponding protocols that psad should complete ignore. This
is particularly useful for ignore ports that are used as a part
of a port knocking scheme (such as fwknop
http://www.cipherdyne.org/fwknop/) for network authentication
since such log messages generated by the knock sequence may
otherwise be interpreted as a scan. Multiple ports and/or port
ranges may be specified as a comma-separated list, e.g.
"tcp/22, tcp/61000-61356, udp/53".
ENABLE_PERSISTENCE
If "Y", psad will keep all scans in memory and not let them
timeout. This can help discover stealthy scans where an
attacker tries to slip beneath IDS thresholds by only scanning a
few ports over a long period of time. ENABLE_PERSISTENCE is set
to "Y" by default.
SCAN_TIMEOUT
If ENABLE_PERSISTENCE is "N" then psad will use the value set by
SCAN_TIMEOUT to remove packets from the scan threshold
calculation. The default is 3600 seconds (1 hour).
DANGER_LEVEL{1,2,3,4,5}
psad uses a scoring system to keep track of the severity a scans
reaches (represented as a "danger level") over time. The
DANGER_LEVEL{n} variables define the number of packets that must
be dropped by the firewall before psad will assign the
respective danger level to the scan. A scan may also be
assigned a danger level if the scan matches a particular
signature contained in the signatures file. There are five
possible danger levels with one being the lowest and five the
highest. Note there are several factors that can influence how
danger levels are calculated: whether or not a scan matches a
signature listed in /etc/psad/signatures, the value of
PORT_RANGE_SCAN_THRESHOLD (see below), whether or not a scan
comes from an IP that is listed in the /etc/psad/auto_dl file,
and finally whether or not scans are allowed to timeout as
determined by SCAN_TIMEOUT above. If a signature is matched or
the scanning IP is listed in /etc/psad/auto_dl, then the
corresponding danger level is automatically assigned to the
scan.
PORT_RANGE_SCAN_THRESHOLD
Defines the minimum difference between the lowest port and the
highest port scanned before an alert is sent (the default is 1
which means that at least two ports must be scanned to generate
an alert). For example, suppose an ip repeatedly scans a single
port for which there is no special signature in signatures.
Then if PORT_RANGE_SCAN_THRESHOLD=1, psad will never send an
alert for this "scan" no matter how many packets are sent to the
port (i.e. no matter what the value of DANGER_LEVEL1 is). The
reason for the default of 1 is that a "scan" usually means that
at least two ports are probed, but if you want psad to be extra
paranoid you can set PORT_RANGE_SCAN_THRESHOLD=0 to alert on
scans to single ports (as long as the number of packets also
exceeds DANGER_LEVEL1).
SHOW_ALL_SIGNATURES
If "Y", psad will display all signatures detected from a single
scanning IP since a scan was first detected instead of just
displaying newly-detected signatures. SHOW_ALL_SIGNATURES is
set to "N" by default. All signatures are listed in the file
/etc/psad/signatures.
SNORT_SID_STR
Defines the string kmsgsd will search for in iptables log
messages that are generated by iptables rules designed to detect
snort rules. The default is "SID". See fwsnort
(http://www.cipherdyne.org/fwsnort/).
ENABLE_DSHIELD_ALERTS
Enable dshield alerting mode. This will send a parsed version
of iptables log messages to dshield.org which is a (free)
distributed intrusion detection service. For more information,
see http://www.dshield.org/
IGNORE_CONNTRACK_BUG_PKTS
If "Y", all TCP packets that have the ACK or RST flag bits set
will be ignored by psad since usually we see such packets being
blocked as a result of the iptables connection tracking bug.
Note there are no signatures that make use of the RST flag and
very few that use ACK flag.
ALERT_ALL
If "Y", send email for all new bad packets instead of just when
a danger level increases. ALERT_ALL is set to "Y" by default.
PSAD_EMAIL_LIMIT
Defines the maximum number of emails that will be sent for a
single scanning IP (default is 50). This variable gives you
some protection from psad sending countless alerts if an IP
scans your machine constantly. psad will send a special alert
if an IP has exceeded the email limit. If PSAD_EMAIL_LIMIT is
set to zero, then psad will ignore the limit and send alert
emails indefinitely for any scanning ip.
EMAIL_ALERT_DANGER_LEVEL
Defines the danger level a scan must reach before any alert is
sent. This variable is set to 1 by default.
ENABLE_AUTO_IDS
psad has the capability of dynamically blocking all traffic from
an IP that has reached a (configurable) danger level through
modification of iptables or tcpwrapper rulesets. IMPORTANT:
This feature is disabled by default since it is possible for an
attacker to spoof packets from a well known (web)site in an
effort to make it look as though the site is scanning your
machine, and then psad will consequently block all access to it.
Also, psad works by parsing firewall messages for packets the
firewall has already dropped, so the "scans" are unsuccessful
anyway. However, some administrators prefer to take this risk
anyway reasoning that they can always review which sites are
being blocked and manually remove the block if necessary (see
the --Flush option). Your mileage will vary.
AUTO_IDS_DANGER_LEVEL
Defines the danger level a scan must reach before psad will
automatically block the IP (ENABLE_AUTO_IDS must be set to "Y").
EXAMPLES
The following examples illustrate the command line arguments that could
be supplied to psad in a few situations:
Signature checking, passive OS fingerprinting, and automatic IP danger
level assignments are enabled by default without having to specify any
command line arguments (best for most situations):
# psad
Same as above, but this time we use the init script to start psad:
# /etc/init.d/psad start
Use psad as a forensics tool to analyze an old iptables logfile (psad
defaults to analyzing the /var/log/messages file if the -m option is
not specified):
# psad -A -m <iptables logfile>
Run psad in forensics mode, but limit its operations to a specific IP
address "10.1.1.1":
# psad -A -m <iptables logfile> --analysis-fields src:10.1.1.1
Generate graphs of scan data using AfterGlow:
# psad --CSV --CSV-fields src dst dp --CSV-max 1000 -m <iptables
logfile> | perl afterglow.pl -c color.properties | neato -Tgif -o
netfilter_graph.gif
The psad.conf, signatures, and auto_dl files are normally located
within the /etc/psad/ directory, but the paths to each of these files
can be changed:
# psad -c <config file> -s <signatures file> -a <auto ips file>
Disable the firewall check and the local port lookup subroutines; most
useful if psad is deployed on a syslog logging server:
# psad --log-server --no-netstat
Disable reverse dns and whois lookups of scanning IP addresses; most
useful if speed of psad is the main concern:
# psad --no-rdns --no-whois
DEPENDENCIES
psad requires that iptables is configured with a "drop and log" policy
for any traffic that is not explicitly allowed through. This is
consistent with a secure network configuration since all traffic that
has not been explicitly allowed should be blocked by the firewall
ruleset. By default, psad attempts to determine whether or not the
firewall has been configured in this way. This feature can be disabled
with the --no-fwcheck or --log-server options. The --log-server option
is useful if psad is running on a syslog logging server that is
separate from the firewall. For more information on compatible
iptables rulesets, see the FW_EXAMPLE_RULES file that is bundled with
the psad source distribution.
psad also requires that syslog be configured to write all kern.info
messages to the named pipe /var/lib/psad/psadfifo. A simple
echo -e ’kern.info |/var/lib/psad/psadfifo’ >> /etc/syslog.conf
will do. Remember also to restart syslog after the changes to this
file.
DIAGNOSTICS
The --debug option can be used to display crucial information about the
psad data structures on STDOUT as a scan generates firewall log
messages. --debug disables daemon mode execution.
Another more effective way to peer into the runtime execution of psad
is to send (as root) a USR1 signal to the psad process which will cause
psad to dump the contents of the %Scan hash to
/var/log/psad/scan_hash.$$ where $$ represents the pid of the psad
process.
SEE ALSO
iptables(8), kmsgsd(8), psadwatchd(8), fwsnort(8), snort(8), nmap(1),
p0f(1), gnuplot(1)
AUTHOR
Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS
Many people who are active in the open source community have
contributed to psad. See the CREDITS file in the psad sources, or
visit http://www.cipherdyne.org/psad/docs/contributors.html to view the
online list of contributors.
BUGS
Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments
are always welcome as well.
For iptables firewalls as of Linux kernel version 2.4.26, if the
ip_conntrack module is loaded (or compiled into the kernel) and the
firewall has been configured to keep state of connections, occasionally
packets that are supposed to be part of normal TCP traffic will not be
correctly identified due to a bug in the firewall state timeouts and
hence dropped. Such packets will then be interpreted as a scan by psad
even though they are not part of any malicious activity. Fortunately,
an interim fix for this problem is to simply extend the
TCP_CONNTRACK_CLOSE_WAIT timeout value in
linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 60 seconds to 2
minutes, and a set of kernel patches is included within the patches/
directory in the psad sources to change this. (Requires a kernel
recompile of course; see the Kernel-HOWTO.) Also, by default the
IGNORE_CONNTRACK_BUG_PKTS variable is set to "Y" in psad.conf which
causes psad to ignore all TCP packets that have the ACK bit set unless
the packets match a specific signature.
DISTRIBUTION
psad is distributed under the GNU General Public License (GPL), and the
latest version may be downloaded from: http://www.cipherdyne.org/