Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 252 lines (208 sloc) 9.774 kb
aa2e53de »
2002-04-06 Added $FW_MSG_SEARCH
1 #
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
2 ##############################################################################
aa2e53de »
2002-04-06 Added $FW_MSG_SEARCH
3 #
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
4 # This is the configuration file for psad (the Port Scan Attack Detector).
5 # Normally this file gets installed at /etc/psad/psad.conf, but can be put
6 # anywhere in the filesystem and then the path can be specified on the
7 # command line argument "-c <file>" to psad. Psad.conf is read by all
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
8 # three of the psad daemons; psad, psadwatchd, and kmsgsd. The syntax of
9 # this file is as follows:
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
10 #
0730ed19 »
2003-08-09 minor formatting bugfix
11 # Each line has the form "<variable name> <value>;". Note the semi-
ff246fe8 »
2002-11-24 The C version of psadwatchd is almost finished
12 # colon after the <value>. All characters after the semicolon will be
4745d165 »
2003-02-12 updated to check the actual value of SHOW_ALL_SIGNATURES
13 # ignored to provide space for comments.
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
14 #
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
15 ##############################################################################
f9821d69 »
2002-11-16 minor comment fixes
16 #
17 # $Id$
18 #
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
19
d50ca4df »
2003-05-14 -Reworked file and directory sections.
20 ### Supports multiple email addresses (as a comma separated
21 ### list).
22 EMAIL_ADDRESSES root@localhost;
23
3e3f1fbc »
2003-08-20 completely reworked how psad, diskmond, and psadwatchd deal with mach…
24 ### Machine hostname
4c5ef4f9 »
2003-10-06 stubbed in the _INTF variables
25 HOSTNAME _CHANGEME_;
26
3db8e0ac »
2003-10-17 re-ordered most commonly changed vars to the top
27 ### The following two variables can be modified to look for logging
28 ### messages that are specific to your firewall configuration (specified
29 ### by the "--log-prefix" for iptables firewalls). For example, if your
30 ### firewall uses the string "Audit" for packets that have been blocked,
31 ### then you could set FW_MSG_SEARCH = "Audit";
32 FW_MSG_SEARCH DROP;
33
b72043a1 »
2003-11-14 replace INTF vars with HOME_NET
34 ### Specify the home network. This definition is used to identify
35 ### traffic that matches snort rules in the iptables FORWARD chain.
36 ### Traffic that is directed to, or originates from, the firewall
37 ### itself (i.e. in the INPUT or OUTPUT chains respectively) is
38 ### treated as traffic to or from the HOME_NET by default and hence
39 ### even if the HOME_NET variable is not defined, psad will still
40 ### be able to detect matching scans. A syslog and email warning
41 ### message will be generated if this variable is not defined.
42 ### Normally the network(s) specified here should match a directly
43 ### network(s) on the local machine. Multiple networks are supported
44 ### as a comma separated list. The network(s) should be specified
45 ### in CIDR notation. The following two lines provide example
6923d474 »
2003-11-17 added text for the possibility that HOME_NET might be set to NOT_USED
46 ### definitions for the HOME_NET variable. NOTE: The HOME_NET
47 ### variable is not used if there is only one network interface on
48 ### the system (i.e. no traffic will be logged via iptables through
49 ### the FORWARD chain). If there is only one network interface on
50 ### the box, then just set this variable to "NOT_USED".
51
b72043a1 »
2003-11-14 replace INTF vars with HOME_NET
52 ### HOME_NET 192.168.10.4/24;
53 ### HOME_NET 10.1.1.0/24, 192.168.10.4/24;
6923d474 »
2003-11-17 added text for the possibility that HOME_NET might be set to NOT_USED
54 ### HOME_NET NOT_USED; ### only one interface on box
b72043a1 »
2003-11-14 replace INTF vars with HOME_NET
55 HOME_NET _CHANGEME_;
3e3f1fbc »
2003-08-20 completely reworked how psad, diskmond, and psadwatchd deal with mach…
56
48facb7d »
2003-06-09 commented out ipchains command path
57 ### Danger levels. These represent the total number of
58 ### packets required for a scan to reach each danger level.
59 ### A scan may also reach a danger level if the scan trips
60 ### a signature or if the scanning ip is listed in
61 ### psad_auto_ips so a danger level is automatically
62 ### assigned.
d50ca4df »
2003-05-14 -Reworked file and directory sections.
63 DANGER_LEVEL1 5; ### Number of packets.
64 DANGER_LEVEL2 50;
65 DANGER_LEVEL3 1000;
66 DANGER_LEVEL4 5000;
67 DANGER_LEVEL5 10000;
68
69 ### Set the interval (in seconds) psad will use to sleep before
70 ### checking for new iptables log messages
71 PSAD_CHECK_INTERVAL 5;
72
37e720c1 »
2003-06-14 updated to correct dshield reporting address
73 ### Search for snort "sid" values generated by fwsnort
74 ### or snort2iptables
75 SNORT_SID_STR SID;
e74b67fa »
2003-05-17 added variables for external script execution
76
d50ca4df »
2003-05-14 -Reworked file and directory sections.
77 ### Set the minimum range of ports that must be scanned before
78 ### psad will send an alert. The default is 1 so that at
79 ### least two port must be scanned (p2-p1 >= 1). This can be set
80 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
81 PORT_RANGE_SCAN_THRESHOLD 1;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
82
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
83 ### If "Y", means that scans will never timeout.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
84 ENABLE_PERSISTENCE Y;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
85
fd675916 »
2003-05-20 added DSHIELD vars
86 ### This is used only if ENABLE_PERSISTENCE = "N";
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
87 SCAN_TIMEOUT 3600; ### seconds
88
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
89 ### If "Y", means all signatures will be shown since
90 ### the scan started instead of just the current ones.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
91 SHOW_ALL_SIGNATURES N;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
92
ef68d1e8 »
2003-02-13 added the CONNTRACK_BUG option to ignore tcp packets with the ack bit…
93 ### XXX: try to mitigate the affects of the iptables connection
0a160507 »
2003-02-14 changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
94 ### tracking bug by ignoring tcp packets that have the ack bit set.
d50ca4df »
2003-05-14 -Reworked file and directory sections.
95 ### Read the "BUGS" section of the psad man page. Note that
96 ### if a packet matches a snort SID (see SNORT_SID_STR variable)
97 ### then psad will see it even if the ack bit is set.
0a160507 »
2003-02-14 changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
98 IGNORE_CONNTRACK_BUG_PKTS Y;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
99
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
100 ### Send email alert if danger level >= to this value.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
101 EMAIL_ALERT_DANGER_LEVEL 1;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
102
35eb021a »
2002-04-20 finished new config architecture, configfile will automatically be im…
103 ### Send no more than this number of emails for a single
104 ### scanning source ip.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
105 PSAD_EMAIL_LIMIT 50;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
106
4dd039a3 »
2003-10-13 minor wording update
107 ### If "Y", send email for all newly logged packets from the same
108 ### source ip instead of just when a danger level increases.
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
109 ALERT_ALL Y;
1fd381b2 »
2002-04-24 Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
110
a7a1f7b9 »
2003-06-05 Added several dshield related vars
111 ### Send scan logs to dshield.org. This is disabled by default,
112 ### but is a good idea to enable it (subject to your site security
113 ### policy) since the dshield service helps to track the bad guys.
114 ### For more information visit http://www.dshield.org
fd675916 »
2003-05-20 added DSHIELD vars
115 ENABLE_DSHIELD_ALERTS N;
116
a7a1f7b9 »
2003-06-05 Added several dshield related vars
117 ### dshield.org alert email address; this should not be changed
118 ### unless the guys at dshield have changed it.
37e720c1 »
2003-06-14 updated to correct dshield reporting address
119 DSHIELD_ALERT_EMAIL reports@dshield.org;
a7a1f7b9 »
2003-06-05 Added several dshield related vars
120
121 ### Time interval (hours) to send email alerts to dshield.org.
37e720c1 »
2003-06-14 updated to correct dshield reporting address
122 ### The default is 6 hours, and cannot be less than 1 hour or
a7a1f7b9 »
2003-06-05 Added several dshield related vars
123 ### more than 24 hours.
37e720c1 »
2003-06-14 updated to correct dshield reporting address
124 DSHIELD_ALERT_INTERVAL 6;
a7a1f7b9 »
2003-06-05 Added several dshield related vars
125
126 ### If you have a dshield user id you can set it here. The
127 ### default is "0".
128 DSHIELD_USER_ID 0;
129
130 ### If you want the outbound dshield email to appear as though it
131 ### is coming from a particular user address then set it here.
132 DSHIELD_USER_EMAIL NONE;
133
89310441 »
2003-05-16 reworked variable names, changed auto block timeout to one hour
134 ### If "Y", enable automated IDS response (auto manages
135 ### firewall rulesets).
136 ENABLE_AUTO_IDS N;
137
248c89c2 »
2003-11-25 reordered auto-ids vars
138 ### Block all traffic from offending IP if danger
139 ### level >= to this value
140 AUTO_IDS_DANGER_LEVEL 5;
141
142 ### Set the auto-blocked timeout in seconds (the default
143 ### is one hour).
144 AUTO_BLOCK_TIMEOUT 3600;
145
75f34962 »
2002-11-04 minor comment fixes
146 ### Enable iptables blocking (only gets enabled if
147 ### ENABLE_AUTO_IDS is also set)
1fd381b2 »
2002-04-24 Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
148 IPTABLES_BLOCK_METHOD Y;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
149
755b83bc »
2003-08-10 added rule number vars for auto blocking rules
150 ### Specify the position or rule number within the iptables
151 ### policy where auto block rules get added.
152 IPTABLES_AUTO_RULENUM 1;
153
1fd381b2 »
2002-04-24 Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
154 ### Enable tcp wrappers blocking
2380d8a4 »
2002-11-16 changed TCPWRAPPERS_BLOCK_METHOD to N
155 TCPWRAPPERS_BLOCK_METHOD N;
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
156
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
157 ### Set the whois timeout
39fe3100 »
2003-02-18 added blank lines to make psad.conf more readable
158 WHOIS_TIMEOUT 60; ### seconds
159
200d2ab4 »
2003-11-09 added DNS_LOOKUP_THRESHOLD
160 ### Set the number of times an ip can be seen before another dns
161 ### lookup is issued.
162 DNS_LOOKUP_THRESHOLD 20;
163
94dd297f »
2002-07-20 Added whois lookups that build whois.tx_<ip>
164 ### Set the number of times an ip can be seen before another whois
2317bb1c »
2003-04-20 minor fix
165 ### lookup is issued.
200d2ab4 »
2003-11-09 added DNS_LOOKUP_THRESHOLD
166 WHOIS_LOOKUP_THRESHOLD 20;
3d3b93ff »
2002-04-23 Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
167
e74b67fa »
2003-05-17 added variables for external script execution
168 ### Enable psad to run an external script or program
ae44493f »
2003-05-17 updated to defined_vars()
169 ENABLE_EXT_SCRIPT_EXEC N;
e74b67fa »
2003-05-17 added variables for external script execution
170
171 ### Define an external program to run after a scan is caught.
172 ### Note that the scan source ip can be specified on the command
173 ### line to the external program through the use of the "SRCIP"
174 ### string (along with some appropriate switch for the program).
175 ### Of course this is only useful if the external program knows
176 ### what to do with this information.
177 ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
178 EXTERNAL_SCRIPT /bin/true;
179
180 ### Control execution of EXTERNAL_SCRIPT (only once per ip, or
181 ### every time a scan is detected for an ip).
182 EXEC_EXT_SCRIPT_PER_ALERT N;
183
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
184 ### Disk usage variables
185 DISK_CHECK_INTERVAL 300; ### seconds
d6252f39 »
2003-10-15 added more explanation text for DISK variables
186
187 ### This can be set to 0 to disable disk checking altogether
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
188 DISK_MAX_PERCENTAGE 95;
d6252f39 »
2003-10-15 added more explanation text for DISK variables
189
190 ### This can be set to 0 to have psad not place any limit on the
191 ### number of times it will attempt to remove data from
192 ### /var/log/psad/.
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
193 DISK_MAX_RM_RETRIES 10;
194
195 ### Directories
196 PSAD_DIR /var/log/psad;
197 SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive;
198 PSAD_ERROR_DIR /var/log/psad/errs;
199 SNORT_RULES_DIR /etc/psad/snort_rules;
200
201 ### Files
202 FW_DATA_FILE /var/log/psad/fwdata;
203 FW_CHECK_FILE /var/log/psad/fw_check;
204 PSAD_PID_FILE /var/run/psad/psad.pid;
205 PSAD_CMDLINE_FILE /var/run/psad/psad.cmd;
206 PSAD_SIGS_FILE /etc/psad/psad_signatures;
207 PSAD_AUTO_IPS_FILE /etc/psad/psad_auto_ips;
208 PSAD_POSF_FILE /etc/psad/psad_posf;
209 PSAD_LOG /var/log/psad/psad.log;
210 PSAD_FIFO /var/lib/psad/psadfifo;
65cd36de »
2003-10-25 added hosts.deny and syslog config file path vars
211 ETC_HOSTS_DENY /etc/hosts.deny;
212 ETC_SYSLOG_CONF /etc/syslog.conf;
213 ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
42783f29 »
2003-10-27 added support for metalog
214 ETC_METALOG_CONF /etc/metalog/metalog.conf;
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
215
216 ### PID files
217 KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid;
218 PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid;
219
07f0ca41 »
2003-10-25 removed support for ipchains
220 ### List of ips that have been auto blocked by iptables
92607d00 »
2003-10-14 - Added DISK* variables for disk monitoring functions.
221 ### or tcpwrappers (the auto blocking feature is disabled by
222 ### default, see the psad man page and the ENABLE_AUTO_IDS
223 ### variable).
224 AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables;
225 AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr;
226
227 FW_ERROR_LOG /var/log/psad/errs/fwerrorlog;
228 PRINT_SCAN_HASH /var/log/psad/scan_hash;
229
230 ### /proc interface for controlling ip forwarding
231 PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
232
233 ### Packet counters for tcp, udp, and icmp protocols
234 PACKET_COUNTER_FILE /var/log/psad/packet_ctr;
235
f3382134 »
2002-09-14 Added pid file paths
236 ### system binaries
a361770e »
2003-10-14 moved psad-init to psad-init.redhat psad-init
237 shCmd /bin/sh;
238 iptablesCmd /sbin/iptables;
239 mknodCmd /bin/mknod;
240 psCmd /bin/ps;
241 mailCmd /bin/mail;
242 sendmailCmd /usr/sbin/sendmail;
243 ifconfigCmd /sbin/ifconfig;
244 syslogdCmd /sbin/syslogd;
245 killallCmd /usr/bin/killall;
246 netstatCmd /bin/netstat;
247 unameCmd /bin/uname;
248 whoisCmd /usr/bin/whois_psad;
249 dfCmd /bin/df;
250 psadwatchdCmd /usr/sbin/psadwatchd;
251 kmsgsdCmd /usr/sbin/kmsgsd;
252 psadCmd /usr/sbin/psad;
Something went wrong with that request. Please try again.