Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 425 lines (350 sloc) 17.2 kB
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
1 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
2 ##############################################################################
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
3 #
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
4 # This is the configuration file for psad (the Port Scan Attack Detector).
5 # Normally this file gets installed at /etc/psad/psad.conf, but can be put
6 # anywhere in the filesystem and then the path can be specified on the
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
7 # command line argument "-c <file>" to psad. Note that there are also
8 # config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd
9 # respectively. There is also one additional config file "fw_search.conf"
10 # that is read by both psad and kmsgsd and defines the strategy psad uses to
7266e91 @mrash .
authored
11 # search through iptables log messages. The syntax of psad.conf (as well
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
12 # as each of the other config files) is as follows:
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
13 #
0730ed1 @mrash minor formatting bugfix
authored
14 # Each line has the form "<variable name> <value>;". Note the semi-
ff246fe @mrash The C version of psadwatchd is almost finished
authored
15 # colon after the <value>. All characters after the semicolon will be
4745d16 @mrash updated to check the actual value of SHOW_ALL_SIGNATURES
authored
16 # ignored to provide space for comments.
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
17 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
18 ##############################################################################
f9821d6 @mrash minor comment fixes
authored
19 #
20 # $Id$
21 #
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
22
d50ca4d @mrash -Reworked file and directory sections.
authored
23 ### Supports multiple email addresses (as a comma separated
24 ### list).
25 EMAIL_ADDRESSES root@localhost;
26
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with mach…
authored
27 ### Machine hostname
4c5ef4f @mrash stubbed in the _INTF variables
authored
28 HOSTNAME _CHANGEME_;
29
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
30 ### Specify the home and external networks. Note that by default the
31 ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
32 ### all of the directly connected subnets and uses this information as
33 #@@ the HOME_NET variable.
34 HOME_NET any;
35 EXTERNAL_NET any;
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with mach…
authored
36
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …
authored
37 ### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable
38 ### is now located in the file /etc/psad/fw_search.conf. Edit this
39 ### file to configure search strings for psad. The change was made so
02b10f4 @mrash documentation updates
authored
40 ### that a single file could be referenced by both psad and kmsgsd for
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …
authored
41 ### search strings in iptables messages.
42
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
43 ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
88096fa @mrash updated to truncate fwdata file by default
authored
44 ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
45 ### or ### metalog.
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
46 SYSLOG_DAEMON syslogd;
47
48facb7 @mrash commented out ipchains command path
authored
48 ### Danger levels. These represent the total number of
49 ### packets required for a scan to reach each danger level.
50 ### A scan may also reach a danger level if the scan trips
51 ### a signature or if the scanning ip is listed in
bda1be3 @mrash minor filename updates
authored
52 ### auto_ips so a danger level is automatically
48facb7 @mrash commented out ipchains command path
authored
53 ### assigned.
d50ca4d @mrash -Reworked file and directory sections.
authored
54 DANGER_LEVEL1 5; ### Number of packets.
bde4c66 @mrash better threshold values (reduced packet counts) for danger levels
authored
55 DANGER_LEVEL2 15;
56 DANGER_LEVEL3 150;
57 DANGER_LEVEL4 1500;
d50ca4d @mrash -Reworked file and directory sections.
authored
58 DANGER_LEVEL5 10000;
59
60 ### Set the interval (in seconds) psad will use to sleep before
61 ### checking for new iptables log messages
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
62 CHECK_INTERVAL 5;
d50ca4d @mrash -Reworked file and directory sections.
authored
63
37e720c @mrash updated to correct dshield reporting address
authored
64 ### Search for snort "sid" values generated by fwsnort
65 ### or snort2iptables
66 SNORT_SID_STR SID;
e74b67f @mrash added variables for external script execution
authored
67
d50ca4d @mrash -Reworked file and directory sections.
authored
68 ### Set the minimum range of ports that must be scanned before
69 ### psad will send an alert. The default is 1 so that at
70 ### least two port must be scanned (p2-p1 >= 1). This can be set
71 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
72 PORT_RANGE_SCAN_THRESHOLD 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
73
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …
authored
74 ### If "Y", means that scans will never timeout. This is useful
75 ### for catching scans that take place over long periods of time
76 ### where the attacker is trying to slip beneath the IDS thresholds.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
77 ENABLE_PERSISTENCE Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
78
fd67591 @mrash added DSHIELD vars
authored
79 ### This is used only if ENABLE_PERSISTENCE = "N";
39fe310 @mrash added blank lines to make psad.conf more readable
authored
80 SCAN_TIMEOUT 3600; ### seconds
81
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
82 ### If "Y", means all signatures will be shown since
83 ### the scan started instead of just the current ones.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
84 SHOW_ALL_SIGNATURES N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
85
65a0ff9 @mrash added MAX_HOPS
authored
86 ### TTL values are decremented depending on the number of hops
87 ### the packet has taken before it hits the firewall. We will
88 ### assume packets will not jump through more than 20 hops on
89 ### average.
90 MAX_HOPS 20;
91
ef68d1e @mrash added the CONNTRACK_BUG option to ignore tcp packets with the ack bit…
authored
92 ### XXX: try to mitigate the affects of the iptables connection
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
93 ### tracking bug by ignoring tcp packets that have the ack bit set.
d50ca4d @mrash -Reworked file and directory sections.
authored
94 ### Read the "BUGS" section of the psad man page. Note that
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
95 ### if a packet matches a snort SID generated by fwsnort (see
96 ### http://www.cipherdyne.org/fwsnort/)
97 ### then psad will see it even if the ack bit is set. See the
98 ### SNORT_SID_STR variable.
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
99 IGNORE_CONNTRACK_BUG_PKTS Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
100
09dae41 @mrash added the IGNORE_PORTS variable
authored
101 ### define a set of ports to ignore (this is useful particularly
102 ### for port knocking applications since the knock sequence will
103 ### look to psad like a scan). This variable may be defined as
104 ### a comma-separated list of port numbers or port ranges and
105 ### corresponding protocol, For example, to have psad ignore all
106 ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
107 ### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
108 IGNORE_PORTS NONE;
109
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
110 ### allow entire protocols to be ignored. This keyword can accept
111 ### a comma separated list of protocols. Each protocol must match
f9c15a4 @mrash bugfix for various IGNORE_ keywords not being honored
authored
112 ### the protocol that is specified in a Netfilter log message (case
113 ### insensitively, so both "TCP" or "tcp" is ok).
114 ### IGNORE_PROTOCOL tcp,udp;
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
115 IGNORE_PROTOCOLS NONE;
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
116
b405a6b @mrash Added IGNORE_INTERFACES keyword to allow packets that appear on speci…
authored
117 ### allow packets to be ignored based on interface (this is the
118 ### "IN" interface in Nefilter logging messages).
119 IGNORE_INTERFACES NONE;
120
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
121 ### Ignore these specific logging prefixes
122 IGNORE_LOG_PREFIXES NONE;
123
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
124 ### Send email alert if danger level >= to this value.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
125 EMAIL_ALERT_DANGER_LEVEL 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
126
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
127 ### Treat all subnets on local interfaces as part of HOME_NET (this
128 ### means that these networks do not have to be manually defined)
129 ENABLE_INTF_LOCAL_NETS Y;
130
495fb9b @mrash updated to include MAC address reporting
authored
131 ### Include MAC addresses in email alert
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
132 ENABLE_MAC_ADDR_REPORTING N;
495fb9b @mrash updated to include MAC address reporting
authored
133
b2b68cf @mrash Added ENABLE_FW_LOGGING_CHECK keyword
authored
134 ### Look for the Netfilter logging rule (fwcheck_psad is executed)
135 ENABLE_FW_LOGGING_CHECK Y;
136
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
137 ### Send no more than this number of emails for a single
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
138 ### scanning source IP. Note that enabling this feature may cause
139 ### alerts for real attacks to not be generated if an attack is sent
140 ### after the email threshold has been reached for an IP address.
141 ### This is why the default is set to "0".
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
142 EMAIL_LIMIT 0;
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
143
144 ### If "Y", send a status email message when an IP has reached the
72413d1 @mrash removed PSAD_ prefix for several config vars
authored
145 ### EMAIL_LIMIT threshold.
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
146 EMAIL_LIMIT_STATUS_MSG Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
147
4dd039a @mrash minor wording update
authored
148 ### If "Y", send email for all newly logged packets from the same
149 ### source ip instead of just when a danger level increases.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
150 ALERT_ALL Y;
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
151
3247a20 @mrash added IMPORT_OLD_SCANS and PSAD_ICMP_TYPES_FILE
authored
152 ### If "Y", then psad will import old scan source ip directories
153 ### as current scans instead of moving the directories into the
154 ### archive directory.
155 IMPORT_OLD_SCANS N;
156
a7a1f7b @mrash Added several dshield related vars
authored
157 ### Send scan logs to dshield.org. This is disabled by default,
158 ### but is a good idea to enable it (subject to your site security
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
159 ### policy) since the DShield service helps to track the bad guys.
a7a1f7b @mrash Added several dshield related vars
authored
160 ### For more information visit http://www.dshield.org
fd67591 @mrash added DSHIELD vars
authored
161 ENABLE_DSHIELD_ALERTS N;
162
a7a1f7b @mrash Added several dshield related vars
authored
163 ### dshield.org alert email address; this should not be changed
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
164 ### unless the guys at DShield have changed it.
37e720c @mrash updated to correct dshield reporting address
authored
165 DSHIELD_ALERT_EMAIL reports@dshield.org;
a7a1f7b @mrash Added several dshield related vars
authored
166
167 ### Time interval (hours) to send email alerts to dshield.org.
37e720c @mrash updated to correct dshield reporting address
authored
168 ### The default is 6 hours, and cannot be less than 1 hour or
a7a1f7b @mrash Added several dshield related vars
authored
169 ### more than 24 hours.
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
170 DSHIELD_ALERT_INTERVAL 6; ### hours
a7a1f7b @mrash Added several dshield related vars
authored
171
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
172 ### If you have a DShield user id you can set it here. The
a7a1f7b @mrash Added several dshield related vars
authored
173 ### default is "0".
174 DSHIELD_USER_ID 0;
175
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
176 ### If you want the outbound DShield email to appear as though it
a7a1f7b @mrash Added several dshield related vars
authored
177 ### is coming from a particular user address then set it here.
178 DSHIELD_USER_EMAIL NONE;
179
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
180 ### Threshold danger level for DShield data; a scan must reach this
181 ### danger level before associated packets will be included in an
182 ### alert to DShield. Note that zero is the default since this
183 ### will allow DShield to apply its own logic to determine what
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
184 ### constitutes a scan (_all_ iptables log messages will be included
185 ### in DShield email alerts).
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
186 DSHIELD_DL_THRESHOLD 0;
187
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
188 ### List of servers. Fwsnort supports the same variable resolution as
189 #### Snort.
190 HTTP_SERVERS $HOME_NET;
191 SMTP_SERVERS $HOME_NET;
192 DNS_SERVERS $HOME_NET;
193 SQL_SERVERS $HOME_NET;
194 TELNET_SERVERS $HOME_NET;
195
196 #### AOL AIM server nets
197 AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
198
199 ### Configurable port numbers
200 HTTP_PORTS 80;
201 SHELLCODE_PORTS !80;
202 ORACLE_PORTS 1521;
203
6a8c5ad @mrash bugfix to allow ranges to omit starting or ending values, e.g. ':1024…
authored
204 ### If this is enabled, then psad will die if a rule in the
205 ### /etc/psad/signatures file contains an unsupported option (otherwise
206 ### a syslog warning will be generated).
207 ENABLE_SNORT_SIG_STRICT N;
208
8931044 @mrash reworked variable names, changed auto block timeout to one hour
authored
209 ### If "Y", enable automated IDS response (auto manages
210 ### firewall rulesets).
211 ENABLE_AUTO_IDS N;
212
248c89c @mrash reordered auto-ids vars
authored
213 ### Block all traffic from offending IP if danger
214 ### level >= to this value
215 AUTO_IDS_DANGER_LEVEL 5;
216
217 ### Set the auto-blocked timeout in seconds (the default
218 ### is one hour).
219 AUTO_BLOCK_TIMEOUT 3600;
220
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
221 ### Enable regex checking on log prefixes for active response
222 ENABLE_AUTO_IDS_REGEX N;
223
224 ### Only block if the Netfilter log message matches the following regex
225 AUTO_BLOCK_REGEX ESTABLISHED; ### from fwsnort logging prefixes
226
987cc8c @mrash added ENABLE_RENEW_BLOCK_EMAILS
authored
227 ### Control whether "renew" auto-block emails get sent. This is disabled
228 ### by default because lots of IPs could have been blocked, and psad
229 ### should not generate a renew email for each of them.
230 ENABLE_RENEW_BLOCK_EMAILS N;
231
cc5f44d @mrash moved ENABLE_AUTO_IDS_EMAILS from alert.conf to psad.conf
authored
232 ### By setting this variable to N, all auto-blocking emails can be
233 ### suppressed.
234 ENABLE_AUTO_IDS_EMAILS Y;
235
75f3496 @mrash minor comment fixes
authored
236 ### Enable iptables blocking (only gets enabled if
237 ### ENABLE_AUTO_IDS is also set)
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
238 IPTABLES_BLOCK_METHOD Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
239
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
240 ### Specify chain names to which iptables blocking rules will be
744d59b @mrash updated to IPT_AUTO_CHAIN{n} keyword names (non-multiline)
authored
241 ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
242 ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
243 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
244 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
245 ### <To_chain>,<Rule_position>.
246 ### "Target": Can be any legitimate Netfilter target, but should usually
247 ### just be "DROP".
248 ### "Direction": Can be "src", "dst", or "both", which correspond to the
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
249 ### INPUT, OUTPUT, and FORWARD chains.
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
250 ### "Table": Can be any Netfilter table, but the default is "filter".
251 ### "From_chain": Is the chain from which packets will be jumped.
252 ### "Jump_rule_position": Defines the position within the From_chain where
253 ### the jump rule is added.
254 ### "To_chain": Is the chain to which packets will be jumped. This is the
255 ### main chain where psad rules are added.
256 ### "Rule_position": Defines the position where rule are added within the
257 ### To_chain.
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
258 ###
259 ### The following defaults make sense for most installations, but note
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
260 ### it is possible to include blocking rules in, say, the "nat" table
261 ### using this functionality as well. The following three lines provide
262 ### usage examples:
263 #IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
264 #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
265 #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
266 IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
267 IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
268 IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
269
3c50eb3 @mrash Updated to automatically flush the psad auto-reponse Netfilter chains…
authored
270 ### Flush all existing rules in the psad chains at psad start time.
271 FLUSH_IPT_AT_INIT Y;
272
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
273 ### Prerequisite check for existence of psad chains and jump rules
274 IPTABLES_PREREQ_CHECK 1;
275
ad3a991 @mrash minor wording update
authored
276 ### Enable tcp wrappers blocking (only gets enabled if
277 ### ENABLE_AUTO_IDS is also set)
2380d8a @mrash changed TCPWRAPPERS_BLOCK_METHOD to N
authored
278 TCPWRAPPERS_BLOCK_METHOD N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
279
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
280 ### Set the whois timeout
39fe310 @mrash added blank lines to make psad.conf more readable
authored
281 WHOIS_TIMEOUT 60; ### seconds
282
94dd297 @mrash Added whois lookups that build whois.tx_<ip>
authored
283 ### Set the number of times an ip can be seen before another whois
2317bb1 @mrash minor fix
authored
284 ### lookup is issued.
200d2ab @mrash added DNS_LOOKUP_THRESHOLD
authored
285 WHOIS_LOOKUP_THRESHOLD 20;
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
286
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
287 ### Set the number of times an ip can be seen before another dns
288 ### lookup is issued.
289 DNS_LOOKUP_THRESHOLD 20;
290
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
291 ### Enable psad to run an external script or program (use at your
292 ### own risk!)
ae44493 @mrash updated to defined_vars()
authored
293 ENABLE_EXT_SCRIPT_EXEC N;
e74b67f @mrash added variables for external script execution
authored
294
295 ### Define an external program to run after a scan is caught.
296 ### Note that the scan source ip can be specified on the command
297 ### line to the external program through the use of the "SRCIP"
298 ### string (along with some appropriate switch for the program).
299 ### Of course this is only useful if the external program knows
300 ### what to do with this information.
301 ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
302 EXTERNAL_SCRIPT /bin/true;
303
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
304 ### Control execution of EXTERNAL_SCRIPT (only once per IP, or
e74b67f @mrash added variables for external script execution
authored
305 ### every time a scan is detected for an ip).
306 EXEC_EXT_SCRIPT_PER_ALERT N;
307
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
308 ### Disk usage variables
309 DISK_CHECK_INTERVAL 300; ### seconds
d6252f3 @mrash added more explanation text for DISK variables
authored
310
311 ### This can be set to 0 to disable disk checking altogether
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
312 DISK_MAX_PERCENTAGE 95;
d6252f3 @mrash added more explanation text for DISK variables
authored
313
314 ### This can be set to 0 to have psad not place any limit on the
315 ### number of times it will attempt to remove data from
316 ### /var/log/psad/.
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
317 DISK_MAX_RM_RETRIES 10;
318
8a19abb @mrash added ENABLE_SCAN_ARCHIVE
authored
319 ### Enable archiving of old scan directories at psad startup.
320 ENABLE_SCAN_ARCHIVE N;
321
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
322 ### Truncate fwdata file at startup
88096fa @mrash updated to truncate fwdata file by default
authored
323 TRUNCATE_FWDATA Y;
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
324
e81372e @mrash added MIN_ARCHIVE_DANGER_LEVEL
authored
325 ### Only archive scanning ip directories that have reached a danger
326 ### level greater than or equal to this value. Archiving old
327 ### scanning ip directories only takes place at psad startup.
328 MIN_ARCHIVE_DANGER_LEVEL 1;
329
2c6a620 @mrash added the ability to customize email prefixes
authored
330 ### Email subject line config. Change these prefixes if you want
331 ### psad to generate email alerts that say something other than
332 ### the following.
333 MAIL_ALERT_PREFIX [psad-alert];
334 MAIL_STATUS_PREFIX [psad-status];
335 MAIL_ERROR_PREFIX [psad-error];
336 MAIL_FATAL_PREFIX [psad-fatal];
337
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
338 ### URL for getting the latest psad signatures
339 SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
340
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
341 ### Directories
342 PSAD_DIR /var/log/psad;
205280b @mrash better setup() code to ensure /var/run/psad and /var/run/lib dirs exist
authored
343 PSAD_RUN_DIR /var/run/psad;
344 PSAD_LIB_DIR /var/lib/psad;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
345 PSAD_CONF_DIR /etc/psad;
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
346 CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
347 SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
348 ERROR_DIR $PSAD_DIR/errs;
349 ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
350 SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
351
352 ### Files
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
353 FW_DATA_FILE $PSAD_DIR/fwdata;
354 ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
355 FW_CHECK_FILE $PSAD_DIR/fw_check;
356 DSHIELD_LATEST_EMAIL $PSAD_DIR/dshield.email;
357 PID_FILE $PSAD_RUN_DIR/psad.pid;
358 CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
359 SIGS_FILE $PSAD_CONF_DIR/signatures;
360 ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
361 AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
362 SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
363 POSF_FILE $PSAD_CONF_DIR/posf;
364 P0F_FILE $PSAD_CONF_DIR/pf.os;
1bc65c7 @mrash added ip_options file
authored
365 IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
366 PSAD_FIFO $PSAD_LIB_DIR/psadfifo;
65cd36d @mrash added hosts.deny and syslog config file path vars
authored
367 ETC_HOSTS_DENY /etc/hosts.deny;
368 ETC_SYSLOG_CONF /etc/syslog.conf;
369 ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
42783f2 @mrash added support for metalog
authored
370 ETC_METALOG_CONF /etc/metalog/metalog.conf;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
371
372 ### PID files
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
373 KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
374 PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
375
07f0ca4 @mrash removed support for ipchains
authored
376 ### List of ips that have been auto blocked by iptables
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
377 ### or tcpwrappers (the auto blocking feature is disabled by
378 ### default, see the psad man page and the ENABLE_AUTO_IDS
379 ### variable).
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
380 AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
381 AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
382
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-blo…
authored
383 ### File used internally by psad to add Netfilter blocking
384 ### rules to a running psad process
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
385 AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-blo…
authored
386
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
387 FW_ERROR_LOG $PSAD_DIR/errs/fwerrorlog;
388 PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
389
06c4609 @mrash 1.4.3-pre5
authored
390 ### /proc interface for controlling ip forwarding
391 PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
392
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
393 ### Packet counters for tcp, udp, and icmp protocols
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
394 PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
395
f67fca7 @mrash added Dshield stats summary in --status output
authored
396 ### Counter file for Dshield alerts
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
397 DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
f67fca7 @mrash added Dshield stats summary in --status output
authored
398
85845f2 @mrash added IPT_PREFIX_COUNTER_FILE
authored
399 ### Counter file for iptables prefixes
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
400 IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
85845f2 @mrash added IPT_PREFIX_COUNTER_FILE
authored
401
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
402 ### iptables command output and error collection files; these are
403 ### used by IPTables::ChainMgr
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
404 IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
405 IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
406
f338213 @mrash Added pid file paths
authored
407 ### system binaries
cbc0e1a @mrash added fwcheck_psad command
authored
408 iptablesCmd /sbin/iptables;
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
409 wgetCmd /usr/bin/wget;
410 gzipCmd /bin/gzip;
cbc0e1a @mrash added fwcheck_psad command
authored
411 mknodCmd /bin/mknod;
412 psCmd /bin/ps;
413 mailCmd /bin/mail;
414 sendmailCmd /usr/sbin/sendmail;
415 ifconfigCmd /sbin/ifconfig;
416 killallCmd /usr/bin/killall;
417 netstatCmd /bin/netstat;
418 unameCmd /bin/uname;
419 whoisCmd /usr/bin/whois_psad;
420 dfCmd /bin/df;
421 fwcheck_psadCmd /usr/sbin/fwcheck_psad;
422 psadwatchdCmd /usr/sbin/psadwatchd;
423 kmsgsdCmd /usr/sbin/kmsgsd;
424 psadCmd /usr/sbin/psad;
Something went wrong with that request. Please try again.