# ############################################################################## # # This is the configuration file for psad (the Port Scan Attack Detector). # Normally this file gets installed at /etc/psad/psad.conf, but can be put # anywhere in the filesystem and then the path can be specified on the # command line argument "-c " to psad. All three psad daemons (psad, # kmsgsd, and psadwatchd) reference this config file. # # Each line has the form " ;". Note the semi- # colon after the . All characters after the semicolon will be # ignored to provide space for comments. # ############################################################################## # ### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME _CHANGEME_; ### Specify the home and external networks. Note that by default the ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects ### all of the directly connected subnets and uses this information as ### the HOME_NET variable. HOME_NET any; EXTERNAL_NET any; ### The FW_SEARCH_ALL variable controls how psad will parse iptables ### messages. If it is set to "Y" then psad will parse all iptables ### messages for evidence of scan activity. If it is set to "N" then ### psad will only parse those iptables messages that contain logging ### prefixes specified by the FW_MSG_SEARCH variable below. Logging ### prefixes are set with the --log-prefix command line option to iptables. ### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze ### iptables messages that are logged out of a specific iptables chain ### (multiple strings can be searched for, see the comment above the ### FW_MSG_SEARCH variable below) or a specific logging rule for example. ### FW_SEARCH_ALL is set to "Y" by default since usually people want psad ### to parse all iptables messages. FW_SEARCH_ALL Y; ### The FW_MSG_SEARCH variable can be modified to look for logging messages ### that are specific to your firewall configuration (specified by the ### "--log-prefix" option. For example, if your firewall uses the ### string "Audit" for packets that have been blocked, then you could ### set FW_MSG_SEARCH to "Audit"; The default string to search for is ### "DROP". Both psad and kmsgsd reference this file. NOTE: You can ### specify this variable multiple times to have psad search for multiple ### strings. For example to have psad search for the strings "Audit" and ### "Reject", you would use the following two lines: #FW_MSG_SEARCH Audit; #FW_MSG_SEARCH REJECT; FW_MSG_SEARCH DROP; ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON ### variable accepts four possible values: syslogd, syslog-ng, ulogd, ### or metalog. SYSLOG_DAEMON syslogd; ### What type of interface configuration do you use? Set this variable to ### "iproute2" if you want to use the iproute2 type configuration. ### iproute2 does not use aliases for multi-homed interfaces and ### ifconfig does not show secondary addresses for multi-homed interfaces. #IFCFGTYPE iproute2; IFCFGTYPE ifconfig; ### Danger levels. These represent the total number of ### packets required for a scan to reach each danger level. ### A scan may also reach a danger level if the scan trips ### a signature or if the scanning ip is listed in ### auto_ips so a danger level is automatically ### assigned. DANGER_LEVEL1 5; ### Number of packets. DANGER_LEVEL2 15; DANGER_LEVEL3 150; DANGER_LEVEL4 1500; DANGER_LEVEL5 10000; ### Set the interval (in seconds) psad will use to sleep before ### checking for new iptables log messages CHECK_INTERVAL 5; ### Search for snort "sid" values generated by fwsnort ### or snort2iptables SNORT_SID_STR SID; ### Set the minimum range of ports that must be scanned before ### psad will send an alert. The default is 1 so that at ### least two port must be scanned (p2-p1 >= 1). This can be set ### to 0 if you want psad to be extra paranoid, or 30000 if not. PORT_RANGE_SCAN_THRESHOLD 1; ### If "Y", means that scans will never timeout. This is useful ### for catching scans that take place over long periods of time ### where the attacker is trying to slip beneath the IDS thresholds. ENABLE_PERSISTENCE Y; ### This is used only if ENABLE_PERSISTENCE = "N"; SCAN_TIMEOUT 3600; ### seconds ### Specify how often to timeout old scan data relative to CHECK_INTERVAL ### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled. ### Note that for psad processes that have tracked a lot of scans, it is ### advisable to leave this threshold at the default value of 5 or greater ### because the scan tracking hash may be quite large. PERSISTENCE_CTR_THRESHOLD 5; ### Limit the number of src->dst IP pairs that psad will track. The default ### is zero (i.e. unlimited), but if psad is running on a system with limited ### memory, this can be handy to restrict psad's memory usage. It is best to ### combine this option with disabling ENABLE_PERSISTENCE so that older scans ### are deleted and therefore newer scans will on average continue to be ### tracked. A good non-zero value is, say, 50000, but this will vary ### depending on available system memory. MAX_SCAN_IP_PAIRS 0; ### If "Y", means all signatures will be shown since ### the scan started instead of just the current ones. SHOW_ALL_SIGNATURES N; ### Allow reporting methods to be enabled/restricted. This keyword can ### accept values of "nosyslog" (don't write any messages to syslog), ### "noemail" (don't send any email messages), or "ALL" (to generate both ### syslog and email messages). "ALL" is the default. Both "nosyslog" ### and "noemail" can be combined with a comma to disable all logging ### and alerting. ALERTING_METHODS ALL; ### By default, psad acquires iptables log data from the /var/log/messages ### file which the local syslog daemon (usually) writes iptables log messages ### to. If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad ### reconfigures syslog to write iptables log data to the ### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd ### written to the file /var/log/psad/fwdata for analysis by psad. On some ### systems, having syslog communicate log data to kmsgsd can be problematic ### (syslog configs and external factors such as Apparmor and SELinux can play ### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is ### usually recommended. ENABLE_SYSLOG_FILE Y; IPT_WRITE_FWDATA Y; IPT_SYSLOG_FILE /var/log/messages; ### When enabled, this instructs psad to write the "msg" field ### associated with Snort rule matches to syslog. ENABLE_SIG_MSG_SYSLOG Y; SIG_MSG_SYSLOG_THRESHOLD 10; SIG_SID_SYSLOG_THRESHOLD 10; ### TTL values are decremented depending on the number of hops ### the packet has taken before it hits the firewall. We will ### assume packets will not jump through more than 20 hops on ### average. MAX_HOPS 20; ### Do not include any timestamp included within kernel logging ### messages (Ubuntu systems commonly have this) IGNORE_KERNEL_TIMESTAMP Y; ### FIXME: try to mitigate the affects of the iptables connection ### tracking bug by ignoring tcp packets that have the ack bit set. ### Read the "BUGS" section of the psad man page. Note that ### if a packet matches a snort SID generated by fwsnort (see ### http://www.cipherdyne.org/fwsnort/) ### then psad will see it even if the ack bit is set. See the ### SNORT_SID_STR variable. IGNORE_CONNTRACK_BUG_PKTS Y; ### define a set of ports to ignore (this is useful particularly ### for port knocking applications since the knock sequence will ### look to psad like a scan). This variable may be defined as ### a comma-separated list of port numbers or port ranges and ### corresponding protocol, For example, to have psad ignore all ### tcp in the range 61000-61356 and udp ports 53 and 5000, use: ### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000; IGNORE_PORTS NONE; ### allow entire protocols to be ignored. This keyword can accept ### a comma separated list of protocols. Each protocol must match ### the protocol that is specified in an iptables log message (case ### insensitively, so both "TCP" or "tcp" is ok). ### IGNORE_PROTOCOL tcp,udp; IGNORE_PROTOCOLS NONE; ### allow packets to be ignored based on interface (this is the ### "IN" interface in iptables logging messages). IGNORE_INTERFACES NONE; ### Ignore these specific logging prefixes IGNORE_LOG_PREFIXES NONE; ### Minimum danger level a scan must reach before any logging or ### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below ### only refers to email alerts; the MIN_DANGER_LEVEL variable ### applies to everything from email alerts to whether or not the ### IP directory is created within /var/log/psad/. Hence ### MIN_DANGER_LEVEL should be set less than or equal to the value ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable. MIN_DANGER_LEVEL 1; ### Only send email alert if danger level >= to this value. EMAIL_ALERT_DANGER_LEVEL 1; ### Enable detection of malicious activity that is delivered via IPv6. If ### ip6tables is not logging any traffic, then psad won't know anything ### about IPv6, or this variable can be set to "N" (this would be slightly ### faster if ip6tables isn't logging anything). ENABLE_IPV6_DETECTION Y; ### Treat all subnets on local interfaces as part of HOME_NET (this ### means that these networks do not have to be manually defined) ENABLE_INTF_LOCAL_NETS Y; ### Include MAC addresses in email alert ENABLE_MAC_ADDR_REPORTING N; ### Look for the iptables logging rule (fwcheck_psad is executed) ENABLE_FW_LOGGING_CHECK Y; ### Send no more than this number of emails for a single ### scanning source IP. Note that enabling this feature may cause ### alerts for real attacks to not be generated if an attack is sent ### after the email threshold has been reached for an IP address. ### This is why the default is set to "0". EMAIL_LIMIT 0; ### By default, psad maintains a counter for each scanning source address, ### but by enabling this variable psad will maintain email counters for ### each victim address that is scanned as well. ENABLE_EMAIL_LIMIT_PER_DST N; ### If "Y", send a status email message when an IP has reached the ### EMAIL_LIMIT threshold. EMAIL_LIMIT_STATUS_MSG Y; ### If "Y", send email for all newly logged packets from the same ### source ip instead of just when a danger level increases. ALERT_ALL Y; ### If "Y", then psad will import old scan source ip directories ### as current scans instead of moving the directories into the ### archive directory. IMPORT_OLD_SCANS N; ### syslog facility and priority (the defaults are usually ok) ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE, ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG SYSLOG_IDENTITY psad; SYSLOG_FACILITY LOG_LOCAL7; SYSLOG_PRIORITY LOG_INFO; ### Port thresholds for logging and -S and -A output. TOP_PORTS_LOG_THRESHOLD 500; STATUS_PORTS_THRESHOLD 20; ### Signature thresholds for logging and -S and -A output. TOP_SIGS_LOG_THRESHOLD 500; STATUS_SIGS_THRESHOLD 50; ### Attackers thresholds for logging and -S and -A output. TOP_IP_LOG_THRESHOLD 500; STATUS_IP_THRESHOLD 25; ### Specify how often to log the TOP_* information (i.e. how many ### CHECK_INTERVAL iterations before the data is logged again). TOP_SCANS_CTR_THRESHOLD 1; ### Send scan logs to dshield.org. This is disabled by default, ### but is a good idea to enable it (subject to your site security ### policy) since the DShield service helps to track the bad guys. ### For more information visit http://www.dshield.org ENABLE_DSHIELD_ALERTS N; ### dshield.org alert email address; this should not be changed ### unless the guys at DShield have changed it. DSHIELD_ALERT_EMAIL reports@dshield.org; ### Time interval (hours) to send email alerts to dshield.org. ### The default is 6 hours, and cannot be less than 1 hour or ### more than 24 hours. DSHIELD_ALERT_INTERVAL 6; ### hours ### If you have a DShield user id you can set it here. The ### default is "0". DSHIELD_USER_ID 0; ### If you want the outbound DShield email to appear as though it ### is coming from a particular user address then set it here. DSHIELD_USER_EMAIL NONE; ### Threshold danger level for DShield data; a scan must reach this ### danger level before associated packets will be included in an ### alert to DShield. Note that zero is the default since this ### will allow DShield to apply its own logic to determine what ### constitutes a scan (_all_ iptables log messages will be included ### in DShield email alerts). DSHIELD_DL_THRESHOLD 0; ### List of servers. Fwsnort supports the same variable resolution as #### Snort. HTTP_SERVERS $HOME_NET; SMTP_SERVERS $HOME_NET; DNS_SERVERS $HOME_NET; SQL_SERVERS $HOME_NET; TELNET_SERVERS $HOME_NET; #### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; ### Configurable port numbers HTTP_PORTS 80; SHELLCODE_PORTS !80; ORACLE_PORTS 1521; ### If this is enabled, then psad will die if a rule in the ### /etc/psad/signatures file contains an unsupported option (otherwise ### a syslog warning will be generated). ENABLE_SNORT_SIG_STRICT Y; ### If "Y", enable automated IDS response (auto manages ### firewall rulesets). ENABLE_AUTO_IDS N; ### Block all traffic from offending IP if danger ### level >= to this value AUTO_IDS_DANGER_LEVEL 5; ### Set the auto-blocked timeout in seconds (the default ### is one hour). AUTO_BLOCK_TIMEOUT 3600; ### Enable regex checking on log prefixes for active response ENABLE_AUTO_IDS_REGEX N; ### Only block if the iptables log message matches the following regex AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes ### Control whether "renew" auto-block emails get sent. This is disabled ### by default because lots of IPs could have been blocked, and psad ### should not generate a renew email for each of them. ENABLE_RENEW_BLOCK_EMAILS N; ### By setting this variable to N, all auto-blocking emails can be ### suppressed. ENABLE_AUTO_IDS_EMAILS Y; ### Enable iptables blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) IPTABLES_BLOCK_METHOD Y; ### Specify chain names to which iptables blocking rules will be ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number ### to add an additional IPT_AUTO_CHAIN requirement. The format for this ### variable is: ,,,,, \ ### ,. ### "Target": Can be any legitimate iptables target, but should usually ### just be "DROP". ### "Direction": Can be "src", "dst", or "both", which correspond to the ### INPUT, OUTPUT, and FORWARD chains. ### "Table": Can be any iptables table, but the default is "filter". ### "From_chain": Is the chain from which packets will be jumped. ### "Jump_rule_position": Defines the position within the From_chain where ### the jump rule is added. ### "To_chain": Is the chain to which packets will be jumped. This is the ### main chain where psad rules are added. ### "Rule_position": Defines the position where rule are added within the ### To_chain. ### ### The following defaults make sense for most installations, but note ### it is possible to include blocking rules in, say, the "nat" table ### using this functionality as well. The following three lines provide ### usage examples: #IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1; IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1; ### Flush all existing rules in the psad chains at psad start time. FLUSH_IPT_AT_INIT Y; ### Prerequisite check for existence of psad chains and jump rules IPTABLES_PREREQ_CHECK 1; ### Enable tcp wrappers blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) TCPWRAPPERS_BLOCK_METHOD N; ### Set the whois timeout WHOIS_TIMEOUT 60; ### seconds ### Set the number of times an ip can be seen before another whois ### lookup is issued. WHOIS_LOOKUP_THRESHOLD 20; ### Use this option to force all whois information to contain ascii-only data. ### Sometime whois information for IP addresses in China and other countries ### can contain non-ascii data. If this option is enabled, then any non- ### ascii characters will be replaced with "NA". ENABLE_WHOIS_FORCE_ASCII N; ### This variable forces all whois lookups to be done against the source IP ### even when they are associated with a directly connected local network. IT ### is usually a good idea to leave this setting as the default of 'N'. ENABLE_WHOIS_FORCE_SRC_IP N; ### Set the number of times an ip can be seen before another dns ### lookup is issued. DNS_LOOKUP_THRESHOLD 20; ### Enable psad to run an external script or program (use at your ### own risk!) ENABLE_EXT_SCRIPT_EXEC N; ### Define an external program to run after a scan is caught. ### Note that the scan source ip can be specified on the command ### line to the external program through the use of the "SRCIP" ### string (along with some appropriate switch for the program). ### Of course this is only useful if the external program knows ### what to do with this information. ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v; EXTERNAL_SCRIPT /bin/true; ### Control execution of EXTERNAL_SCRIPT (only once per IP, or ### every time a scan is detected for an ip). EXEC_EXT_SCRIPT_PER_ALERT N; ### Disk usage variables DISK_CHECK_INTERVAL 300; ### seconds ### This can be set to 0 to disable disk checking altogether DISK_MAX_PERCENTAGE 95; ### This can be set to 0 to have psad not place any limit on the ### number of times it will attempt to remove data from ### /var/log/psad/. DISK_MAX_RM_RETRIES 10; ### Enable archiving of old scan directories at psad startup. ENABLE_SCAN_ARCHIVE N; ### Truncate fwdata file at startup TRUNCATE_FWDATA Y; ### Only archive scanning IP directories that have reached a danger ### level greater than or equal to this value. Archiving old ### scanning ip directories only takes place at psad startup. MIN_ARCHIVE_DANGER_LEVEL 1; ### Email subject line config. Change these prefixes if you want ### psad to generate email alerts that say something other than ### the following. MAIL_ALERT_PREFIX [psad-alert]; MAIL_STATUS_PREFIX [psad-status]; MAIL_ERROR_PREFIX [psad-error]; MAIL_FATAL_PREFIX [psad-fatal]; ### URL for getting the latest psad signatures SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures; ### These next two are psadwatchd vars PSADWATCHD_CHECK_INTERVAL 5; ### seconds PSADWATCHD_MAX_RETRIES 10; ### Directories INSTALL_ROOT /; PSAD_DIR $INSTALL_ROOT/var/log/psad; PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad; PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad; PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad; PSAD_CONF_DIR $INSTALL_ROOT/etc/psad; PSAD_ERR_DIR $PSAD_DIR/errs; CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive; SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive; ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis; SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules; ### Files FW_DATA_FILE $PSAD_DIR/fwdata; ULOG_DATA_FILE $PSAD_DIR/ulogd.log; FW_CHECK_FILE $PSAD_DIR/fw_check; DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email; SIGS_FILE $PSAD_CONF_DIR/signatures; ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types; ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types; AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl; SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl; POSF_FILE $PSAD_CONF_DIR/posf; P0F_FILE $PSAD_CONF_DIR/pf.os; IP_OPTS_FILE $PSAD_CONF_DIR/ip_options; PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo; ETC_HOSTS_DENY_FILE /etc/hosts.deny; ETC_SYSLOG_CONF /etc/syslog.conf; ETC_RSYSLOG_CONF /etc/rsyslog.conf; ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; ETC_METALOG_CONF /etc/metalog/metalog.conf; STATUS_OUTPUT_FILE $PSAD_DIR/status.out; ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out; INSTALL_LOG_FILE $PSAD_DIR/install.log; ### PID files PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid; PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd; KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid; PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid; ### List of ips that have been auto blocked by iptables ### or tcpwrappers (the auto blocking feature is disabled by ### default, see the psad man page and the ENABLE_AUTO_IDS ### variable). AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables; AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr; ### File used internally by psad to add iptables blocking ### rules to a running psad process AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock; FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog; PRINT_SCAN_HASH $PSAD_DIR/scan_hash; ### /proc interface for controlling ip forwarding PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; ### Packet counters for tcp, udp, and icmp protocols PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr; ### Top scanned ports TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports; ### Top signature matches TOP_SIGS_FILE $PSAD_DIR/top_sigs; ### Top attackers TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers; ### Counter file for Dshield alerts DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr; ### Counter file for iptables prefixes IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr; ### iptables command output and error collection files; these are ### used by IPTables::ChainMgr IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout; IPT_ERROR_FILE $PSAD_DIR/psad.ipterr; ### system binaries iptablesCmd /sbin/iptables; ip6tablesCmd /sbin/ip6tables; shCmd /bin/sh; wgetCmd /usr/bin/wget; gzipCmd /bin/gzip; mknodCmd /bin/mknod; psCmd /bin/ps; mailCmd /bin/mail; sendmailCmd /usr/sbin/sendmail; ifconfigCmd /sbin/ifconfig; ipCmd /sbin/ip; killallCmd /usr/bin/killall; netstatCmd /bin/netstat; unameCmd /bin/uname; whoisCmd $INSTALL_ROOT/usr/bin/whois_psad; dfCmd /bin/df; fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad; psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd; kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd; psadCmd $INSTALL_ROOT/usr/sbin/psad;