Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 542 lines (449 sloc) 22.415 kB
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
1 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
2 ##############################################################################
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
3 #
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
4 # This is the configuration file for psad (the Port Scan Attack Detector).
5 # Normally this file gets installed at /etc/psad/psad.conf, but can be put
6 # anywhere in the filesystem and then the path can be specified on the
1638862 @mrash major consolidation so that there is only one config file, psad.conf.…
authored
7 # command line argument "-c <file>" to psad. All three psad daemons (psad,
8 # kmsgsd, and psadwatchd) reference this config file.
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
9 #
0730ed1 @mrash minor formatting bugfix
authored
10 # Each line has the form "<variable name> <value>;". Note the semi-
ff246fe @mrash The C version of psadwatchd is almost finished
authored
11 # colon after the <value>. All characters after the semicolon will be
4745d16 @mrash updated to check the actual value of SHOW_ALL_SIGNATURES
authored
12 # ignored to provide space for comments.
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
13 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
14 ##############################################################################
f9821d6 @mrash minor comment fixes
authored
15 #
16 # $Id$
17 #
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
18
d50ca4d @mrash -Reworked file and directory sections.
authored
19 ### Supports multiple email addresses (as a comma separated
20 ### list).
21 EMAIL_ADDRESSES root@localhost;
22
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with mach…
authored
23 ### Machine hostname
4c5ef4f @mrash stubbed in the _INTF variables
authored
24 HOSTNAME _CHANGEME_;
25
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
26 ### Specify the home and external networks. Note that by default the
27 ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
28 ### all of the directly connected subnets and uses this information as
09c504b @mrash minor comment update to psad.conf
authored
29 ### the HOME_NET variable.
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
30 HOME_NET any;
31 EXTERNAL_NET any;
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with mach…
authored
32
1638862 @mrash major consolidation so that there is only one config file, psad.conf.…
authored
33 ### The FW_SEARCH_ALL variable controls has psad will parse iptables
34 ### messages. If it is set to "Y" then psad will parse all iptables
35 ### messages for evidence of scan activity. If it is set to "N" then
36 ### psad will only parse those iptables messages that contain logging
37 ### prefixes specified by the FW_MSG_SEARCH variable below. Logging
38 ### prefixes are set with the --log-prefix command line option to iptables.
39 ### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
40 ### iptables messages that are logged out of a specific iptables chain
41 ### (multiple strings can be searched for, see the comment above the
42 ### FW_MSG_SEARCH variable below) or a specific logging rule for example.
43 ### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
44 ### to parse all iptables messages.
45 FW_SEARCH_ALL Y;
46
47 ### The FW_MSG_SEARCH variable can be modified to look for logging messages
48 ### that are specific to your firewall configuration (specified by the
49 ### "--log-prefix" option. For example, if your firewall uses the
50 ### string "Audit" for packets that have been blocked, then you could
51 ### set FW_MSG_SEARCH to "Audit"; The default string to search for is
52 ### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
53 ### specify this variable multiple times to have psad search for multiple
54 ### strings. For example to have psad search for the strings "Audit" and
55 ### "Reject", you would use the following two lines:
56 #FW_MSG_SEARCH Audit;
57 #FW_MSG_SEARCH REJECT;
58 FW_MSG_SEARCH DROP;
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …
authored
59
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
60 ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
88096fa @mrash updated to truncate fwdata file by default
authored
61 ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
56a1b7e @mrash - Added a new feature whereby psad can acquire iptables log data just by
authored
62 ### or metalog.
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
63 SYSLOG_DAEMON syslogd;
64
65d5935 @mrash (Dan A. Dickey) Added the ability to use the "ip" command from the
authored
65 ### What type of interface configuration do you use? This this variable to
66 ### "iproute2" if you want to use the iproute2 type configuration.
67 ### iproute2 does not use aliases for multi-homed interfaces and
68 ### ifconfig does not show secondary addresses for multi-homed interfaces.
69 #IFCFGTYPE iproute2;
70 IFCFGTYPE ifconfig;
71
48facb7 @mrash commented out ipchains command path
authored
72 ### Danger levels. These represent the total number of
73 ### packets required for a scan to reach each danger level.
74 ### A scan may also reach a danger level if the scan trips
75 ### a signature or if the scanning ip is listed in
bda1be3 @mrash minor filename updates
authored
76 ### auto_ips so a danger level is automatically
48facb7 @mrash commented out ipchains command path
authored
77 ### assigned.
d50ca4d @mrash -Reworked file and directory sections.
authored
78 DANGER_LEVEL1 5; ### Number of packets.
bde4c66 @mrash better threshold values (reduced packet counts) for danger levels
authored
79 DANGER_LEVEL2 15;
80 DANGER_LEVEL3 150;
81 DANGER_LEVEL4 1500;
d50ca4d @mrash -Reworked file and directory sections.
authored
82 DANGER_LEVEL5 10000;
83
84 ### Set the interval (in seconds) psad will use to sleep before
85 ### checking for new iptables log messages
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
86 CHECK_INTERVAL 5;
d50ca4d @mrash -Reworked file and directory sections.
authored
87
37e720c @mrash updated to correct dshield reporting address
authored
88 ### Search for snort "sid" values generated by fwsnort
89 ### or snort2iptables
90 SNORT_SID_STR SID;
e74b67f @mrash added variables for external script execution
authored
91
d50ca4d @mrash -Reworked file and directory sections.
authored
92 ### Set the minimum range of ports that must be scanned before
93 ### psad will send an alert. The default is 1 so that at
94 ### least two port must be scanned (p2-p1 >= 1). This can be set
95 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
96 PORT_RANGE_SCAN_THRESHOLD 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
97
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …
authored
98 ### If "Y", means that scans will never timeout. This is useful
99 ### for catching scans that take place over long periods of time
100 ### where the attacker is trying to slip beneath the IDS thresholds.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
101 ENABLE_PERSISTENCE Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
102
fd67591 @mrash added DSHIELD vars
authored
103 ### This is used only if ENABLE_PERSISTENCE = "N";
39fe310 @mrash added blank lines to make psad.conf more readable
authored
104 SCAN_TIMEOUT 3600; ### seconds
105
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
106 ### If "Y", means all signatures will be shown since
107 ### the scan started instead of just the current ones.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
108 SHOW_ALL_SIGNATURES N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
109
1638862 @mrash major consolidation so that there is only one config file, psad.conf.…
authored
110 ### Allow reporting methods to be enabled/restricted. This keyword can
111 ### accept values of "nosyslog" (don't write any messages to syslog),
112 ### "noemail" (don't send any email messages), or "ALL" (to generate both
113 ### syslog and email messages). "ALL" is the default. Both "nosyslog"
114 ### and "noemail" can be combined with a comma to disable all logging
115 ### and alerting.
116 ALERTING_METHODS ALL;
117
56a1b7e @mrash - Added a new feature whereby psad can acquire iptables log data just by
authored
118 ### By default, psad acquires iptables log data from the /var/log/psad/fwdata
119 ### file which is written to by kmsgsd. However, psad can just read an
120 ### existing file that syslog writes iptables log data to (commonly
121 ### /var/log/messages). On some systems, having syslog communicate log data
122 ### to kmsgsd can be problematic (syslog configs and external factors such
123 ### as Apparmor and SELinux can play a role here), so using this feature can
124 ### simplify a psad deployment.
64c61d5 @mrash made ENABLE_SYSLOG_FILE and IPT_WRITE_FWDATA enabled by default
authored
125 ENABLE_SYSLOG_FILE Y;
126 IPT_WRITE_FWDATA Y;
56a1b7e @mrash - Added a new feature whereby psad can acquire iptables log data just by
authored
127 IPT_SYSLOG_FILE /var/log/messages;
128
3c945df @mrash added ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and SIG_SID_SY…
authored
129 ### When enabled, this instructs psad to write the "msg" field
130 ### associated with Snort rule matches to syslog.
131 ENABLE_SIG_MSG_SYSLOG Y;
132 SIG_MSG_SYSLOG_THRESHOLD 10;
133 SIG_SID_SYSLOG_THRESHOLD 10;
134
65a0ff9 @mrash added MAX_HOPS
authored
135 ### TTL values are decremented depending on the number of hops
136 ### the packet has taken before it hits the firewall. We will
137 ### assume packets will not jump through more than 20 hops on
138 ### average.
139 MAX_HOPS 20;
140
8fe4f80 @mrash Added IGNORE_KERNEL_TIMESTAMP so that the timestamp automatically add…
authored
141 ### Do not include any timestamp included within kernel logging
142 ### messages (Ubuntu systems commonly have this)
143 IGNORE_KERNEL_TIMESTAMP Y;
144
e2c1af2 @mrash minor wording change
authored
145 ### FIXME: try to mitigate the affects of the iptables connection
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
146 ### tracking bug by ignoring tcp packets that have the ack bit set.
d50ca4d @mrash -Reworked file and directory sections.
authored
147 ### Read the "BUGS" section of the psad man page. Note that
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
148 ### if a packet matches a snort SID generated by fwsnort (see
149 ### http://www.cipherdyne.org/fwsnort/)
150 ### then psad will see it even if the ack bit is set. See the
151 ### SNORT_SID_STR variable.
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
152 IGNORE_CONNTRACK_BUG_PKTS Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
153
09dae41 @mrash added the IGNORE_PORTS variable
authored
154 ### define a set of ports to ignore (this is useful particularly
155 ### for port knocking applications since the knock sequence will
156 ### look to psad like a scan). This variable may be defined as
157 ### a comma-separated list of port numbers or port ranges and
158 ### corresponding protocol, For example, to have psad ignore all
159 ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
160 ### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
161 IGNORE_PORTS NONE;
162
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
163 ### allow entire protocols to be ignored. This keyword can accept
164 ### a comma separated list of protocols. Each protocol must match
f9c15a4 @mrash bugfix for various IGNORE_ keywords not being honored
authored
165 ### the protocol that is specified in a Netfilter log message (case
166 ### insensitively, so both "TCP" or "tcp" is ok).
167 ### IGNORE_PROTOCOL tcp,udp;
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
168 IGNORE_PROTOCOLS NONE;
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
169
b405a6b @mrash Added IGNORE_INTERFACES keyword to allow packets that appear on speci…
authored
170 ### allow packets to be ignored based on interface (this is the
171 ### "IN" interface in Nefilter logging messages).
172 IGNORE_INTERFACES NONE;
173
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
174 ### Ignore these specific logging prefixes
175 IGNORE_LOG_PREFIXES NONE;
176
6980c49 @mrash Added MIN_DANGER_LEVEL
authored
177 ### Minimum danger level a scan must reach before any logging or
178 ### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
179 ### only refers to email alerts; the MIN_DANGER_LEVEL variable
180 ### applies to everything from email alerts to whether or not the
181 ### IP directory is created within /var/log/psad/. Hence
182 ### MIN_DANGER_LEVEL should be set less than or equal to the value
183 ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
184 MIN_DANGER_LEVEL 1;
185
186 ### Only send email alert if danger level >= to this value.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
187 EMAIL_ALERT_DANGER_LEVEL 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
188
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
189 ### Treat all subnets on local interfaces as part of HOME_NET (this
190 ### means that these networks do not have to be manually defined)
191 ENABLE_INTF_LOCAL_NETS Y;
192
495fb9b @mrash updated to include MAC address reporting
authored
193 ### Include MAC addresses in email alert
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
194 ENABLE_MAC_ADDR_REPORTING N;
495fb9b @mrash updated to include MAC address reporting
authored
195
b2b68cf @mrash Added ENABLE_FW_LOGGING_CHECK keyword
authored
196 ### Look for the Netfilter logging rule (fwcheck_psad is executed)
197 ENABLE_FW_LOGGING_CHECK Y;
198
35eb021 @mrash finished new config architecture, configfile will automatically be im…
authored
199 ### Send no more than this number of emails for a single
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
200 ### scanning source IP. Note that enabling this feature may cause
201 ### alerts for real attacks to not be generated if an attack is sent
202 ### after the email threshold has been reached for an IP address.
203 ### This is why the default is set to "0".
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
204 EMAIL_LIMIT 0;
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
205
d1ce840 @mrash - Changed EMAIL_LIMIT model to apply to scanning source addresses only
authored
206 ### By default, psad maintains a counter for each scanning source address,
207 ### but by enabling this variable psad will maintain email counters for
208 ### each victim address that is scanned as well.
209 ENABLE_EMAIL_LIMIT_PER_DST N;
210
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
211 ### If "Y", send a status email message when an IP has reached the
72413d1 @mrash removed PSAD_ prefix for several config vars
authored
212 ### EMAIL_LIMIT threshold.
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
213 EMAIL_LIMIT_STATUS_MSG Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
214
4dd039a @mrash minor wording update
authored
215 ### If "Y", send email for all newly logged packets from the same
216 ### source ip instead of just when a danger level increases.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
217 ALERT_ALL Y;
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
218
3247a20 @mrash added IMPORT_OLD_SCANS and PSAD_ICMP_TYPES_FILE
authored
219 ### If "Y", then psad will import old scan source ip directories
220 ### as current scans instead of moving the directories into the
221 ### archive directory.
222 IMPORT_OLD_SCANS N;
223
dab2c3b @mrash Added the ability to configure the syslog facility and priority via the
authored
224 ### syslog facility and priority (the defaults are usually ok)
7de83cb @mrash added validation for the SYSLOG_FACILITY and SYSLOG_PRIORITY vars
authored
225 ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
226 ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
227 ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
dab2c3b @mrash Added the ability to configure the syslog facility and priority via the
authored
228 SYSLOG_IDENTITY psad;
229 SYSLOG_FACILITY LOG_LOCAL7;
230 SYSLOG_PRIORITY LOG_INFO;
231
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
232 ### Port thresholds for logging and -S and -A output.
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
233 TOP_PORTS_LOG_THRESHOLD 500;
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
234 STATUS_PORTS_THRESHOLD 20;
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
235
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
236 ### Signature thresholds for logging and -S and -A output.
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
237 TOP_SIGS_LOG_THRESHOLD 500;
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
238 STATUS_SIGS_THRESHOLD 50;
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
239
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
240 ### Attackers thresholds for logging and -S and -A output.
241 TOP_IP_LOG_THRESHOLD 500;
242 STATUS_IP_THRESHOLD 25;
6cab08f @mrash Added TOP_STATUS_THRESHOLD so that the top sigs and ports sections ca…
authored
243
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
244 ### Specify how often to log the TOP_* information (i.e. how many
245 ### CHECK_INTERVAL iterations before the data is logged again).
246 TOP_SCANS_CTR_THRESHOLD 1;
247
a7a1f7b @mrash Added several dshield related vars
authored
248 ### Send scan logs to dshield.org. This is disabled by default,
249 ### but is a good idea to enable it (subject to your site security
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
250 ### policy) since the DShield service helps to track the bad guys.
a7a1f7b @mrash Added several dshield related vars
authored
251 ### For more information visit http://www.dshield.org
fd67591 @mrash added DSHIELD vars
authored
252 ENABLE_DSHIELD_ALERTS N;
253
a7a1f7b @mrash Added several dshield related vars
authored
254 ### dshield.org alert email address; this should not be changed
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
255 ### unless the guys at DShield have changed it.
37e720c @mrash updated to correct dshield reporting address
authored
256 DSHIELD_ALERT_EMAIL reports@dshield.org;
a7a1f7b @mrash Added several dshield related vars
authored
257
258 ### Time interval (hours) to send email alerts to dshield.org.
37e720c @mrash updated to correct dshield reporting address
authored
259 ### The default is 6 hours, and cannot be less than 1 hour or
a7a1f7b @mrash Added several dshield related vars
authored
260 ### more than 24 hours.
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
261 DSHIELD_ALERT_INTERVAL 6; ### hours
a7a1f7b @mrash Added several dshield related vars
authored
262
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
263 ### If you have a DShield user id you can set it here. The
a7a1f7b @mrash Added several dshield related vars
authored
264 ### default is "0".
265 DSHIELD_USER_ID 0;
266
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
267 ### If you want the outbound DShield email to appear as though it
a7a1f7b @mrash Added several dshield related vars
authored
268 ### is coming from a particular user address then set it here.
269 DSHIELD_USER_EMAIL NONE;
270
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
271 ### Threshold danger level for DShield data; a scan must reach this
272 ### danger level before associated packets will be included in an
273 ### alert to DShield. Note that zero is the default since this
274 ### will allow DShield to apply its own logic to determine what
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
275 ### constitutes a scan (_all_ iptables log messages will be included
276 ### in DShield email alerts).
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
277 DSHIELD_DL_THRESHOLD 0;
278
4e65aa6 @mrash merged 1648:1666 from the sigdevel branch into the trunk
authored
279 ### List of servers. Fwsnort supports the same variable resolution as
280 #### Snort.
281 HTTP_SERVERS $HOME_NET;
282 SMTP_SERVERS $HOME_NET;
283 DNS_SERVERS $HOME_NET;
284 SQL_SERVERS $HOME_NET;
285 TELNET_SERVERS $HOME_NET;
286
287 #### AOL AIM server nets
288 AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
289
290 ### Configurable port numbers
291 HTTP_PORTS 80;
292 SHELLCODE_PORTS !80;
293 ORACLE_PORTS 1521;
294
6a8c5ad @mrash bugfix to allow ranges to omit starting or ending values, e.g. ':1024…
authored
295 ### If this is enabled, then psad will die if a rule in the
296 ### /etc/psad/signatures file contains an unsupported option (otherwise
297 ### a syslog warning will be generated).
8c94e2d @mrash merged r1985:1997 from psad-2.0.5 branch
authored
298 ENABLE_SNORT_SIG_STRICT Y;
6a8c5ad @mrash bugfix to allow ranges to omit starting or ending values, e.g. ':1024…
authored
299
8931044 @mrash reworked variable names, changed auto block timeout to one hour
authored
300 ### If "Y", enable automated IDS response (auto manages
301 ### firewall rulesets).
302 ENABLE_AUTO_IDS N;
303
248c89c @mrash reordered auto-ids vars
authored
304 ### Block all traffic from offending IP if danger
305 ### level >= to this value
306 AUTO_IDS_DANGER_LEVEL 5;
307
308 ### Set the auto-blocked timeout in seconds (the default
309 ### is one hour).
310 AUTO_BLOCK_TIMEOUT 3600;
311
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
312 ### Enable regex checking on log prefixes for active response
313 ENABLE_AUTO_IDS_REGEX N;
314
315 ### Only block if the Netfilter log message matches the following regex
1a92895 @mrash updated to the ESTAB string that recent fwsnort versions (> 0.9.0) pr…
authored
316 AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
317
987cc8c @mrash added ENABLE_RENEW_BLOCK_EMAILS
authored
318 ### Control whether "renew" auto-block emails get sent. This is disabled
319 ### by default because lots of IPs could have been blocked, and psad
320 ### should not generate a renew email for each of them.
321 ENABLE_RENEW_BLOCK_EMAILS N;
322
cc5f44d @mrash moved ENABLE_AUTO_IDS_EMAILS from alert.conf to psad.conf
authored
323 ### By setting this variable to N, all auto-blocking emails can be
324 ### suppressed.
325 ENABLE_AUTO_IDS_EMAILS Y;
326
75f3496 @mrash minor comment fixes
authored
327 ### Enable iptables blocking (only gets enabled if
328 ### ENABLE_AUTO_IDS is also set)
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
329 IPTABLES_BLOCK_METHOD Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
330
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
331 ### Specify chain names to which iptables blocking rules will be
744d59b @mrash updated to IPT_AUTO_CHAIN{n} keyword names (non-multiline)
authored
332 ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
333 ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
334 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
335 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
336 ### <To_chain>,<Rule_position>.
337 ### "Target": Can be any legitimate Netfilter target, but should usually
338 ### just be "DROP".
339 ### "Direction": Can be "src", "dst", or "both", which correspond to the
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
340 ### INPUT, OUTPUT, and FORWARD chains.
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
341 ### "Table": Can be any Netfilter table, but the default is "filter".
342 ### "From_chain": Is the chain from which packets will be jumped.
343 ### "Jump_rule_position": Defines the position within the From_chain where
344 ### the jump rule is added.
345 ### "To_chain": Is the chain to which packets will be jumped. This is the
346 ### main chain where psad rules are added.
347 ### "Rule_position": Defines the position where rule are added within the
348 ### To_chain.
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
349 ###
350 ### The following defaults make sense for most installations, but note
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
351 ### it is possible to include blocking rules in, say, the "nat" table
352 ### using this functionality as well. The following three lines provide
353 ### usage examples:
354 #IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
355 #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
356 #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
357 IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
358 IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
359 IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in…
authored
360
3c50eb3 @mrash Updated to automatically flush the psad auto-reponse Netfilter chains…
authored
361 ### Flush all existing rules in the psad chains at psad start time.
362 FLUSH_IPT_AT_INIT Y;
363
fbd616b @mrash Added IGNORE_LOG_PREFIXES, ENABLE_AUTO_IDS_REGEX, AUTO_BLOCK_REGEX, a…
authored
364 ### Prerequisite check for existence of psad chains and jump rules
365 IPTABLES_PREREQ_CHECK 1;
366
ad3a991 @mrash minor wording update
authored
367 ### Enable tcp wrappers blocking (only gets enabled if
368 ### ENABLE_AUTO_IDS is also set)
2380d8a @mrash changed TCPWRAPPERS_BLOCK_METHOD to N
authored
369 TCPWRAPPERS_BLOCK_METHOD N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
370
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
371 ### Set the whois timeout
39fe310 @mrash added blank lines to make psad.conf more readable
authored
372 WHOIS_TIMEOUT 60; ### seconds
373
94dd297 @mrash Added whois lookups that build whois.tx_<ip>
authored
374 ### Set the number of times an ip can be seen before another whois
2317bb1 @mrash minor fix
authored
375 ### lookup is issued.
200d2ab @mrash added DNS_LOOKUP_THRESHOLD
authored
376 WHOIS_LOOKUP_THRESHOLD 20;
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
377
607556c @mrash - Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in
authored
378 ### Use this option to force all whois information to contain ascii-only data.
379 ### Sometime whois information for IP addresses in China and other countries
380 ### can contain non-ascii data. If this option is enabled, then any non-
381 ### ascii characters will be replaced with "NA".
382 ENABLE_WHOIS_FORCE_ASCII N;
383
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
384 ### Set the number of times an ip can be seen before another dns
385 ### lookup is issued.
386 DNS_LOOKUP_THRESHOLD 20;
387
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
388 ### Enable psad to run an external script or program (use at your
389 ### own risk!)
ae44493 @mrash updated to defined_vars()
authored
390 ENABLE_EXT_SCRIPT_EXEC N;
e74b67f @mrash added variables for external script execution
authored
391
392 ### Define an external program to run after a scan is caught.
393 ### Note that the scan source ip can be specified on the command
394 ### line to the external program through the use of the "SRCIP"
395 ### string (along with some appropriate switch for the program).
396 ### Of course this is only useful if the external program knows
397 ### what to do with this information.
398 ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
399 EXTERNAL_SCRIPT /bin/true;
400
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
401 ### Control execution of EXTERNAL_SCRIPT (only once per IP, or
e74b67f @mrash added variables for external script execution
authored
402 ### every time a scan is detected for an ip).
403 EXEC_EXT_SCRIPT_PER_ALERT N;
404
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
405 ### Disk usage variables
406 DISK_CHECK_INTERVAL 300; ### seconds
d6252f3 @mrash added more explanation text for DISK variables
authored
407
408 ### This can be set to 0 to disable disk checking altogether
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
409 DISK_MAX_PERCENTAGE 95;
d6252f3 @mrash added more explanation text for DISK variables
authored
410
411 ### This can be set to 0 to have psad not place any limit on the
412 ### number of times it will attempt to remove data from
413 ### /var/log/psad/.
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
414 DISK_MAX_RM_RETRIES 10;
415
8a19abb @mrash added ENABLE_SCAN_ARCHIVE
authored
416 ### Enable archiving of old scan directories at psad startup.
417 ENABLE_SCAN_ARCHIVE N;
418
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
419 ### Truncate fwdata file at startup
88096fa @mrash updated to truncate fwdata file by default
authored
420 TRUNCATE_FWDATA Y;
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP …
authored
421
6980c49 @mrash Added MIN_DANGER_LEVEL
authored
422 ### Only archive scanning IP directories that have reached a danger
e81372e @mrash added MIN_ARCHIVE_DANGER_LEVEL
authored
423 ### level greater than or equal to this value. Archiving old
424 ### scanning ip directories only takes place at psad startup.
425 MIN_ARCHIVE_DANGER_LEVEL 1;
426
2c6a620 @mrash added the ability to customize email prefixes
authored
427 ### Email subject line config. Change these prefixes if you want
428 ### psad to generate email alerts that say something other than
429 ### the following.
430 MAIL_ALERT_PREFIX [psad-alert];
431 MAIL_STATUS_PREFIX [psad-status];
432 MAIL_ERROR_PREFIX [psad-error];
433 MAIL_FATAL_PREFIX [psad-fatal];
434
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
435 ### URL for getting the latest psad signatures
436 SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
437
1638862 @mrash major consolidation so that there is only one config file, psad.conf.…
authored
438 ### These next two are psadwatchd vars
439 PSADWATCHD_CHECK_INTERVAL 5; ### seconds
440 PSADWATCHD_MAX_RETRIES 10;
441
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
442 ### Directories
443 PSAD_DIR /var/log/psad;
205280b @mrash better setup() code to ensure /var/run/psad and /var/run/lib dirs exist
authored
444 PSAD_RUN_DIR /var/run/psad;
c26db3a @mrash minor variable naming fixes
authored
445 PSAD_FIFO_DIR /var/lib/psad;
754fdb3 @mrash minor re-ordering
authored
446 PSAD_LIBS_DIR /usr/lib/psad;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
447 PSAD_CONF_DIR /etc/psad;
754fdb3 @mrash minor re-ordering
authored
448 PSAD_ERR_DIR $PSAD_DIR/errs;
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
449 CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
450 SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
451 ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
452 SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
453
454 ### Files
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
455 FW_DATA_FILE $PSAD_DIR/fwdata;
456 ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
457 FW_CHECK_FILE $PSAD_DIR/fw_check;
c26db3a @mrash minor variable naming fixes
authored
458 DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
459 SIGS_FILE $PSAD_CONF_DIR/signatures;
460 ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
461 AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
462 SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
463 POSF_FILE $PSAD_CONF_DIR/posf;
464 P0F_FILE $PSAD_CONF_DIR/pf.os;
1bc65c7 @mrash added ip_options file
authored
465 IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
c26db3a @mrash minor variable naming fixes
authored
466 PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
467 ETC_HOSTS_DENY_FILE /etc/hosts.deny;
65cd36d @mrash added hosts.deny and syslog config file path vars
authored
468 ETC_SYSLOG_CONF /etc/syslog.conf;
56a1b7e @mrash - Added a new feature whereby psad can acquire iptables log data just by
authored
469 ETC_RSYSLOG_CONF /etc/rsyslog.conf;
65cd36d @mrash added hosts.deny and syslog config file path vars
authored
470 ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
42783f2 @mrash added support for metalog
authored
471 ETC_METALOG_CONF /etc/metalog/metalog.conf;
168b0ee @mrash added STATUS_OUTPUT_FILE so that --Status and --Analyze output is cap…
authored
472 STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
dd4a2a2 @mrash added STATUS_PORTS_THRESHOLD, STATUS_SIGS_THRESHOLD, and STATUS_IP_TH…
authored
473 ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
c26db3a @mrash minor variable naming fixes
authored
474 INSTALL_LOG_FILE $PSAD_DIR/install.log;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
475
476 ### PID files
c26db3a @mrash minor variable naming fixes
authored
477 PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
478 PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
479 KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
480 PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
481
07f0ca4 @mrash removed support for ipchains
authored
482 ### List of ips that have been auto blocked by iptables
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
483 ### or tcpwrappers (the auto blocking feature is disabled by
484 ### default, see the psad man page and the ENABLE_AUTO_IDS
485 ### variable).
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
486 AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
487 AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
488
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-blo…
authored
489 ### File used internally by psad to add Netfilter blocking
490 ### rules to a running psad process
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
491 AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-blo…
authored
492
decad08 @mrash bugfix to use the PSAD_ERR_DIR var for the fwerrorlog path
authored
493 FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
494 PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
495
06c4609 @mrash 1.4.3-pre5
authored
496 ### /proc interface for controlling ip forwarding
497 PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
498
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
499 ### Packet counters for tcp, udp, and icmp protocols
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
500 PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
501
469fe03 @mrash added top_sigs and top_ports in the /var/log/psad/ directory so that …
authored
502 ### Top scanned ports
503 TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
504
505 ### Top signature matches
506 TOP_SIGS_FILE $PSAD_DIR/top_sigs;
507
0060292 @mrash Added the TOP_ATTACKERS_FILE
authored
508 ### Top attackers
509 TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
510
f67fca7 @mrash added Dshield stats summary in --status output
authored
511 ### Counter file for Dshield alerts
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
512 DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
f67fca7 @mrash added Dshield stats summary in --status output
authored
513
85845f2 @mrash added IPT_PREFIX_COUNTER_FILE
authored
514 ### Counter file for iptables prefixes
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
515 IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
85845f2 @mrash added IPT_PREFIX_COUNTER_FILE
authored
516
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
517 ### iptables command output and error collection files; these are
518 ### used by IPTables::ChainMgr
5062da6 @mrash added embedded variables to consistently reference the same file paths
authored
519 IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
520 IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
ba5dcb5 @mrash - Completely re-worked IPTables::ChainMgr to support the return of ip…
authored
521
f338213 @mrash Added pid file paths
authored
522 ### system binaries
cbc0e1a @mrash added fwcheck_psad command
authored
523 iptablesCmd /sbin/iptables;
1638862 @mrash major consolidation so that there is only one config file, psad.conf.…
authored
524 shCmd /bin/sh;
23d0328 @mrash Added SIG_UPDATE_URL along with wget and gzip command paths for psad …
authored
525 wgetCmd /usr/bin/wget;
526 gzipCmd /bin/gzip;
cbc0e1a @mrash added fwcheck_psad command
authored
527 mknodCmd /bin/mknod;
528 psCmd /bin/ps;
529 mailCmd /bin/mail;
530 sendmailCmd /usr/sbin/sendmail;
531 ifconfigCmd /sbin/ifconfig;
65d5935 @mrash (Dan A. Dickey) Added the ability to use the "ip" command from the
authored
532 ipCmd /sbin/ip;
cbc0e1a @mrash added fwcheck_psad command
authored
533 killallCmd /usr/bin/killall;
534 netstatCmd /bin/netstat;
535 unameCmd /bin/uname;
536 whoisCmd /usr/bin/whois_psad;
537 dfCmd /bin/df;
538 fwcheck_psadCmd /usr/sbin/fwcheck_psad;
539 psadwatchdCmd /usr/sbin/psadwatchd;
540 kmsgsdCmd /usr/sbin/kmsgsd;
541 psadCmd /usr/sbin/psad;
Something went wrong with that request. Please try again.