Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 112 lines (88 sloc) 5.314 kb
54bd579 Michael Rash version 0.9.9 release, updated psad.8 man page
authored
1 psad (Port Scan Attack Detector)
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
2 Version: 3.0
88e1e10 Michael Rash changed all cipherdyne.com references to cipherdyne.org
authored
3 Author: Michael Rash (mbr@cipherdyne.org)
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
4 Website: http://www.cipherdyne.org/
34d3a9b Michael Rash Code/documentation cleanup
authored
5
6cc3c11 Michael Rash -High-rate scans are now handled by psad (essentially a bugfix in the wa...
authored
6 Thanks to: (see the CREDITS file).
2c4aa67 Michael Rash Added README file
authored
7
8 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
9 DESCRIPTION:
10
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
11 The Port Scan Attack Detector (psad) is a collection of two lightweight
8d3f80e Michael Rash updated to include RH7.3
authored
12 system daemons written in Perl and in C that are designed to work with Linux
04c0ff5 Michael Rash updated psad description paragraph
authored
13 iptables firewalling code to detect port scans and other suspect traffic. It
14 features a set of highly configurable danger thresholds (with sensible
15 defaults provided), verbose alert messages that include the source,
16 destination, scanned port range, begin and end times, tcp flags and
17 corresponding nmap options, reverse DNS info, email and syslog alerting,
18 automatic blocking of offending ip addresses via dynamic configuration of
363e500 Michael Rash updated version number to 1.4.1
authored
19 iptables rulesets, passive operating system fingerprinting, and DSheild
20 reporting. In addition, psad incorporates many of the tcp, udp, and icmp
21 signatures included in the snort intrusion detection system
22 (http://www.snort.org) to detect highly suspect scans for various backdoor
23 programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft),
24 and advanced port scans (syn, fin, xmas) which are easily leveraged against a
25 machine via nmap. psad can also alert on snort signatures that are logged
26 via fwsnort, which makes use of the iptables string match module to detect
27 application layer signatures.
2c4aa67 Michael Rash Added README file
authored
28
29 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
928ea91 Michael Rash config docs update
authored
30 CONFIGURATION INFORMATION:
31
32 Information on config keywords referenced by psad may be found both in the
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
33 psad(8) man page, and also here:
928ea91 Michael Rash config docs update
authored
34
c99c0c5 Michael Rash bugfix link update
authored
35 http://www.cipherdyne.org/psad/docs/config.html
928ea91 Michael Rash config docs update
authored
36
37 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2c4aa67 Michael Rash Added README file
authored
38 METHODOLOGY:
39
303b03b Michael Rash finished removing ipchains stuff
authored
40 All information psad analyzes is gathered from iptables log messages.
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
41 psad by default reads the /var/log/messages file for new iptables messages and
42 optionally writes them out to a dedicated file (/var/log/psad/fwdata).
43 psad is then responsible for applying the danger threshold and signature logic
44 in order to determine whether or not a port scan has taken place, send
45 appropriate alert emails, and (optionally) block offending ip addresses. psad
46 includes a signal handler such that if a USR1 signal is received, psad will
47 dump the contents of the current scan hash data structure to
48 /var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad
49 daemon.
2c4aa67 Michael Rash Added README file
authored
50
303b03b Michael Rash finished removing ipchains stuff
authored
51 NOTE: Since psad relies on iptables to generate appropriate log messages
52 for unauthorized packets, psad is only as good as the logging rules included
02b10f4 Michael Rash documentation updates
authored
53 in the iptables ruleset. Usually the best way setup the firewall is with
54 default "drop and log" rules at the end of the ruleset, and include rules
55 above this last rule that only allow traffic that should be allowed through.
56 Upon execution, the psad daemon will attempt to ascertain whether or not such
57 a default deny rule exists, and will warn the administrator if it doesn't.
58 See the FW_EXAMPLE_RULES file for example firewall rulesets that are
59 compatible with psad.
2c4aa67 Michael Rash Added README file
authored
60
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
61 Additionally, extensive coverage of psad is included in the book "Linux
62 Firewalls: Attack Detection and Response" published by No Starch Press, and a
63 supporting script in this book is compatible with psad. This script can be
64 found here:
65
66 http://www.cipherdyne.org/LinuxFirewalls/ch01/
67
2c4aa67 Michael Rash Added README file
authored
68 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
a158b94 Michael Rash Added checking for automatic ip danger level increases/decreases via psa...
authored
69 INSTALLATION:
2c4aa67 Michael Rash Added README file
authored
70
b940217 Michael Rash updated to include README.SYSLOG
authored
71 See the INSTALL file in the psad sources directory.
2c4aa67 Michael Rash Added README file
authored
72
73 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2b7da4d Michael Rash added FIREWALL SETUP section that references new FW_HELP file
authored
74 FIREWALL SETUP:
75
b940217 Michael Rash updated to include README.SYSLOG
authored
76 See the FW_HELP file in the psad sources directory. Also, read the
77 README.SYSLOG file.
2b7da4d Michael Rash added FIREWALL SETUP section that references new FW_HELP file
authored
78
79 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
2c4aa67 Michael Rash Added README file
authored
80 PLATFORMS:
81
363e500 Michael Rash updated version number to 1.4.1
authored
82 psad has been tested on RedHat 6.2 - 9.0, Fedora Core 1 and 2, and
83 Gentoo Linux systems running various kernels. The only program that
84 specifically depends on the RedHat architecture is psad-init, which depends
85 on /etc/rc.d/init.d/functions. For non-RedHat systems a more generic init
e19a0c2 Michael Rash updated documentation
authored
86 script is included called "psad-init.generic". The psad init scripts are
87 mostly included as a nicety; psad can be run from the command line like any
88 other program.
a158b94 Michael Rash Added checking for automatic ip danger level increases/decreases via psa...
authored
89
31816cf Michael Rash removed USAGE section, moved copyright to bottom
authored
90 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
91 COPYRIGHT:
92
79dc2ed Michael Rash updated to remove kmsgsd discussion since kmsgsd is basically deprecated...
authored
93 Copyright (C) 1999-2012 Michael Rash (mbr@cipherdyne.org)
31816cf Michael Rash removed USAGE section, moved copyright to bottom
authored
94
95 This program is free software; you can redistribute it and/or modify
96 it under the terms of the GNU General Public License as published by
97 the Free Software Foundation; either version 2 of the License, or
98 (at your option) any later version.
99
100 This program is distributed in the hope that it will be useful,
101 but WITHOUT ANY WARRANTY; without even the implied warranty of
102 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
103 GNU General Public License for more details.
104
105 You should have received a copy of the GNU General Public License
106 along with this program; if not, write to the Free Software
107 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
108
109 psad makes use of many of the tcp, udp, and icmp signatures available in
90cbdba Michael Rash updated to include Sourcefire trademark mention
authored
110 Snort (written by Marty Roesch, see http://www.snort.org). Snort is a
111 registered trademark of Sourcefire, Inc.
Something went wrong with that request. Please try again.