Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 805 lines (797 sloc) 30.749 kB
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
1 .\" Process this file with
2 .\" groff -man -Tascii foo.1
3 .\"
112abcd @mrash updated date
authored
4 .TH PSAD 8 "Jun, 2004" Linux
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
5 .SH NAME
231822f @mrash updated man pages
authored
6 .B psad
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
7 \- The Port Scan Attack Detector
8 .SH SYNOPSIS
416723f @mrash updated to include fwsnort options
authored
9 .B psad [-a
5e15872 @mrash many updated and bug fixes for missed and new options
authored
10 .I auto-dl-file
416723f @mrash updated to include fwsnort options
authored
11 .B ] [-c
12 .I config-file
3a7abbd @mrash added -w option
authored
13 .B ] [-l] [-h] [-B] [-A] [-F] [-S] [-K] [-R] [-U] [-H] [-V] [-p] [-e] [-w] [-D] [-d] [--signatures
416723f @mrash updated to include fwsnort options
authored
14 .I sig-file
9c328e9 @mrash added the --interface command line arg, and switched --interval to --…
authored
15 .B ] [--interface
16 .I interface
17 .B ] [--sig-update] [--Interval
18 .I seconds
97870be @mrash added the --Analyze-msgs mode
authored
19 .B ] [-m
20 .I messages-file
b3b00da @mrash updated to --no-snort-sids option
authored
21 .B ] [--snort-type
416723f @mrash updated to include fwsnort options
authored
22 .I type
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
23 .B ] [--snort-rdir
24 .I rules-directory
25 .B ] [--passive-os-sigs
26 .I posf-file
6f0c669 @mrash updated to include --status-ip and --status-sort-dl options psad.8u
authored
27 .B ] [--status-ip
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
28 .I ip
aa95703 @mrash added --status-dl
authored
29 .B ] [--status-dl
30 .I dl
7def8d3 @mrash 1.3 updates
authored
31 .B ] [--fw-file
32 .I policy-file
345b895 @mrash added --fw-del-chains, --fw-list-auto, and --fw-block-ip options
authored
33 .B ] [--fw-block-ip
34 .I ip
df88a04 @mrash minor doc updates
authored
35 .B ] [--fw-rm-block-ip
36 .I ip
5e15872 @mrash many updated and bug fixes for missed and new options
authored
37 .B ] [--fw-search
3bcbb7f @mrash minor message fixes
authored
38 .I fw-search file
a0c0a0d @mrash added --fw-dump arg, fixed --Dump-conf to santize output
authored
39 .B ] [--fw-analyze] [--fw-list-auto] [--fw-del-chains] [--fw-dump] [--status-sort-dl]
40 .B [--status-brief] [--no-fwcheck]
5e15872 @mrash many updated and bug fixes for missed and new options
authored
41 .B [--no-daemon] [--no-rdns] [--no-auto-dl] [--no-kmsgsd]
416723f @mrash updated to include fwsnort options
authored
42 .B [--no-whois] [--no-netstat] [--no-ipt-errors]
7577201 @mrash added --no-icmp-types and a few other blurbs
authored
43 .B [--no-passive-os] [--no-signatures] [--no-icmp-types] [--no-snort-sids]
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
44 .SH DESCRIPTION
63a546f @mrash format fixes
authored
45
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
46 .B psad
df88a04 @mrash minor doc updates
authored
47 makes use of Netfilter log messages to detect, alert, and (optionally) block
fffdfae @mrash better DESCRIPTION section
authored
48 port scans and other suspect traffic. For tcp scans psad analyzes tcp
49 flags to determine the scan type (syn, fin, xmas, etc.) and corresponding
50 command line options that could be supplied to nmap to generate such a scan.
51 In addition, psad makes use of many tcp, udp, and icmp signatures contained
52 within the Snort intrusion detection system (see http://www.snort.org/) to
53 detect suspicious network traffic such as probes for common backdoors, DDoS
54 tools, OS fingerprinting attempts, and more. By default psad also provides
55 alerts for snort rules that are detected directly by iptables through the
56 use of a ruleset generated by
57 .B fwsnort
58 (http://www.cipherdyne.org/fwsnort/). This enables psad to send alerts for
59 application layer attacks.
60 .B psad
61 features a set of highly configurable danger thresholds (with sensible
62 defaults provided) that allow the administrator to define what constitutes
63 a port scan or other suspect traffic. Email alerts sent by psad contain the
64 scanning ip, number of packets sent to each port, any tcp, udp, or icmp
65 signatures that have been matched (e.g. "NMAP XMAS scan"), the scanned port
66 range, the current danger level (from 1 to 5), reverse dns info, and whois
67 information.
68 .B psad
345b895 @mrash added --fw-del-chains, --fw-list-auto, and --fw-block-ip options
authored
69 also makes use of various packet header fields associated with TCP SYN packets
70 to passively fingerprint remote operating systems (in a manner similar to the
71 .B p0f
72 fingerprinter) from which scans originate. This requires the use of the
73 .B --log-tcp-options
74 argument for Netfilter logging rules; if this option is not used,
75 .B psad
76 will fall back to a fingerprinting method that makes use of packet length,
77 TTL and TOS values, IP id, and tcp window sizes.
63a546f @mrash format fixes
authored
78 .PP
fffdfae @mrash better DESCRIPTION section
authored
79 .B psad
80 configures syslog to write all kern.info messages to a named pipe
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
81 .B /var/lib/psad/psadfifo
7def8d3 @mrash 1.3 updates
authored
82 and then reads all messages out of the pipe that are matched by a string
83 designed to catch any packets that have been logged (and possibly dropped)
84 by the firewall. In this way psad is supplied with a pure data stream
85 that exclusively contains packets that the firewall has deemed unfit to
fffdfae @mrash better DESCRIPTION section
authored
86 enter the network.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
87 .B psad
b376b89 @mrash removed diskmond
authored
88 consists of three daemons: psad, kmsgsd, and psadwatchd.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
89 .B psad
045d535 @mrash updated to refer to firewall log messages instead of packets necessar…
authored
90 is responsible for processing all packets that have been logged by the
8ab887a @mrash updated to new command line options
authored
91 firewall and applying the signature logic in order to determine what type
f3e6cfb @mrash updated man page and made some minor comment updates
authored
92 of scan has been leveraged against the machine and/or network.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
93 .B kmsgsd
94 reads all messages that have been written to the
95 .B /var/lib/psad/psadfifo
96 named pipe and writes any message that matches a particular regular
8ab887a @mrash updated to new command line options
authored
97 expression (or string) to
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
98 .B /var/log/psad/fwdata.
99 .B psadwatchd
d35dd54 @mrash minor wording update
authored
100 is a software watchdog that will restart any of the other two daemons should
8ab887a @mrash updated to new command line options
authored
101 a daemon die for any reason.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
102 .SH OPTIONS
103 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
104 .BR \-c "\fR,\fP " \-\^\-config\ \<configuration-file>
b376b89 @mrash removed diskmond
authored
105 By default all of the psad makes use of the configuration file
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
106 .B /etc/psad/psad.conf
fffdfae @mrash better DESCRIPTION section
authored
107 for almost all configuration parameters.
108 .B psad
109 can be made to
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
110 override this path by specifying a different file on the command
111 line with the --config option.
112 .TP
2f707e8 @mrash Added --sig-update
authored
113 .BR \-\^\-signatures\ \<signatures-file>
8ab887a @mrash updated to new command line options
authored
114 The iptables firewalling code included within the linux 2.4.x kernel
115 series has the ability to distinguish and log any of the tcp flags
fffdfae @mrash better DESCRIPTION section
authored
116 present within tcp packets that traverse the firewall interfaces.
117 .B psad
303b03b @mrash finished removing ipchains stuff
authored
118 makes use of this logging capability to detect several types of tcp scan
8ab887a @mrash updated to new command line options
authored
119 signatures included within
71c439e @mrash updated file paths
authored
120 .B /etc/psad/signatures.
8ab887a @mrash updated to new command line options
authored
121 The signatures were
a7fd353 @mrash minor case change
authored
122 originally included within the snort intrusion detection
fd50dc8 @mrash minor whitespace fixes
authored
123 system. New signatures can be included and modifications to existing
8ab887a @mrash updated to new command line options
authored
124 signatures can be made to the signature file and psad will import
7def8d3 @mrash 1.3 updates
authored
125 the changes upon receiving a HUP signal (see the --HUP command line
fffdfae @mrash better DESCRIPTION section
authored
126 option) without having to restart the psad process.
127 .B psad
128 also detects
a7fd353 @mrash minor case change
authored
129 many udp and icmp signatures that were originally included within snort.
8ab887a @mrash updated to new command line options
authored
130 .TP
9c328e9 @mrash added the --interface command line arg, and switched --interval to --…
authored
131 .BR \-i "\fR,\fP " \-\^\-interface\ \<interface>
132 Specify the interface that
133 .B psad
134 will examine for Netfilter log messages. This interface will be the
135 .B IN=
136 interface for packets that are logged in the
137 .B INPUT
138 and
139 .B FORWARD
140 chains, and the
141 .B OUT=
142 interface for packets logged in the
143 .B OUTPUT
144 chain.
145 .TP
2f707e8 @mrash Added --sig-update
authored
146 .BR \-\^\-sig-update
147 Instruct
148 .B psad
149 to download the latest set of modified Snort signatures from
150 http://www.cipherdyne.org/psad/signatures so that psad can take advantage of
151 signature updates before a new release is made.
152 .TP
97870be @mrash added the --Analyze-msgs mode
authored
153 .BR \-A ", " \-\^\-Analyze-msgs
dc6ab71 @mrash minor --Analyze-msgs wording change
authored
154 Analyze an iptables logfile for scans and exit. This will generate email alerts
97870be @mrash added the --Analyze-msgs mode
authored
155 just as a normal running psad process would have for all logged scans. By
156 default the psad data file
157 .B /var/log/psad/fwdata
158 is parsed for old scans, but any file can be specified through the use
159 of the --messages-file command line option. For example it might be useful
160 to point psad at your
161 .B /var/log/messages
162 file.
163 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
164 .BR \-e ", " \-\^\-email-analysis
165 Send alert emails when run in --Analyze-msgs mode. Depending on the size of
e75ce6e @mrash minor wording fix
authored
166 the iptables logfile, using the --email-analysis option could extend the runtime
167 of psad by quite a bit since normally both DNS and whois lookups will be issued
168 against each scanning IP address. As usual these lookups can be disabled with
169 the --no-rdns and --no-whois options respectively.
5e15872 @mrash many updated and bug fixes for missed and new options
authored
170 .TP
3a7abbd @mrash added -w option
authored
171 .BR \-w ", " \-\^\-whois-analysis
172 By default
173 .B psad
174 does not issue whois lookups when running in --Analyze-msgs mode. The
175 --whois-analysis option will override this behavior (when run in analysis mode)
176 and instruct psad to issue whois lookups against IP addresses from which scans
177 or other suspect traffic has originated.
178 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
179 .BR \-\^\-snort-type\ \<type>
416723f @mrash updated to include fwsnort options
authored
180 Restrict the type of snort sids to
181 .I type.
182 Allowed types match the file names given to snort rules files such as
183 "ddos", "backdoor", and "web-attacks".
184 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
185 .BR \-\^\-snort-rdir\ \<snort-rules-directory>
416723f @mrash updated to include fwsnort options
authored
186 Manually specify the directory where the snort rules files are located.
187 The default is
188 .B /etc/psad/snort_rules.
189 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
190 .BR \-\^\-passive-os-sigs\ \<passive-os-sigs-file>
191 Manually specify the path to the passive operating system fingerprinting
192 signatures file. The default is
71c439e @mrash updated file paths
authored
193 .B /etc/psad/posf.
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
194 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
195 .BR \-a "\fR,\fP " \-\^\-auto-dl\ \<auto-dl-file>
196 Occasionally certain IP addresses are repeat offenders and
8ab887a @mrash updated to new command line options
authored
197 should automatically be given a higher danger level than
5e15872 @mrash many updated and bug fixes for missed and new options
authored
198 would normally be assigned. Additionally, some IP addresses
8ab887a @mrash updated to new command line options
authored
199 can always be ignored depending on your network configuration
200 (the loopback interface 127.0.0.1 might be a good candidate
201 for example).
71c439e @mrash updated file paths
authored
202 .B /etc/psad/auto_dl
8ab887a @mrash updated to new command line options
authored
203 provides an interface for psad to automatically
5e15872 @mrash many updated and bug fixes for missed and new options
authored
204 increase/decrease/ignore scanning IP danger levels. Modifications
71c439e @mrash updated file paths
authored
205 can be made to auto_dl (installed by default in /etc/psad)
8ab887a @mrash updated to new command line options
authored
206 and psad will import them without having to restart the psad process.
207 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
208 .BR \-\^\-fw-search\ \<fw_search-file>
209 By default all of the psad makes use of the firewall search configuration
210 file
211 .B /etc/psad/fw_search.conf
212 for firewall search mode and search strings.
213 .B psad
214 can be made to
215 override this path by specifying a different file on the command
216 line with the --fw-search option.
217 .TP
7cddfe2 @mrash added a discussion of the -F argument
authored
218 .BR \-F ", " \-\^\-Flush
219 Remove any auto-generated firewall block rules if psad was configured
220 to automatically respond to scans (see the ENABLE_AUTO_IDS variable
221 in psad.conf).
222 .TP
8ab887a @mrash updated to new command line options
authored
223 .BR \-S ", " \-\^\-Status
224 Display the status of any psad processes that may or not be running.
225 The status output contains a listing of the number of packets that
5e15872 @mrash many updated and bug fixes for missed and new options
authored
226 have been processed by psad, along with all IP addresses and
8ab887a @mrash updated to new command line options
authored
227 corresponding danger levels that have scanned the network.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
228 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
229 .BR \-\^\-status-ip\ \<ip>
6f0c669 @mrash updated to include --status-ip and --status-sort-dl options psad.8u
authored
230 Display status information associated with
231 .I ip
232 such as the protocol packet counters as well as the last 10 packets
233 logged by iptables.
234 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
235 .BR \-\^\-status-dl\ \<dl>
aa95703 @mrash added --status-dl
authored
236 Display status information only for scans that have reached a danger
237 level of at least
238 .I dl
239 .TP
6f0c669 @mrash updated to include --status-ip and --status-sort-dl options psad.8u
authored
240 .BR \-\^\-status-sort-dl
241 Sort status output by danger level. The default output is sorted
5e15872 @mrash many updated and bug fixes for missed and new options
authored
242 by IP address to show scans that may be associated with the same
6f0c669 @mrash updated to include --status-ip and --status-sort-dl options psad.8u
authored
243 network in an easily readable format.
244 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
245 .BR \-\^\-status-brief
246 Instruct psad to remove OS guess information and alert counters from
247 .I --Status
248 output. This is useful for viewing psad status info on terminals that
249 are not very wide.
250 .TP
251 .BR \-m "\fR,\fP " \-\^\-messages-file\ \<file>
97870be @mrash added the --Analyze-msgs mode
authored
252 This option is used to specify the file that will be parsed in analysis
253 mode (see the --Analyze-msgs option). The default path is the psad
254 data file
255 .B /var/log/psad/fwdata.
256 .TP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
257 .BR \-K ", " \-\^\-Kill
b376b89 @mrash removed diskmond
authored
258 Kill the current psad process along with psadwatchd and kmsgsd.
259 This provides a quick and easy way to kill all psad processes without
260 having to look in the process table or appeal to the psad-init script.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
261 .TP
262 .BR \-R ", " \-\^\-Restart
263 Restart the currently running psad processes. This option will
264 preserve the command line options that were supplied to the original
265 psad process.
266 .TP
043aacd @mrash Added benchmarking mode, added --Benchmark and --packets
authored
267 .BR \-B ", " \-\^\-Benchmark
268 Run psad in benchmark mode. By default benchmark mode will simulate
269 a scan of 10,000 packets (see the --packets option) and then report
416723f @mrash updated to include fwsnort options
authored
270 the elapsed time. This is useful to see how fast psad can process
271 packets on a specific machine.
043aacd @mrash Added benchmarking mode, added --Benchmark and --packets
authored
272 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
273 .BR \-p "\fR,\fP " \-\^\-packets\ \<packets>
043aacd @mrash Added benchmarking mode, added --Benchmark and --packets
authored
274 Specify the number of packets to use in benchmark mode. The
275 default is 10,000 packets.
276 .TP
345b895 @mrash added --fw-del-chains, --fw-list-auto, and --fw-block-ip options
authored
277 .BR \-\^\-fw-list-auto
278 List all rules in Netfilter chains that are used by
279 .B psad
280 in auto-blocking mode.
281 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
282 .BR \-\^\-fw-analyze
7def8d3 @mrash 1.3 updates
authored
283 Analyze the local iptables ruleset, send any alerts if errors are
f3e6cfb @mrash updated man page and made some minor comment updates
authored
284 discovered, and then exit.
285 .TP
345b895 @mrash added --fw-del-chains, --fw-list-auto, and --fw-block-ip options
authored
286 .BR \-\^\-fw-del-chains
287 By default, if ENABLE_AUTO_IDS is set to "Y"
288 .B psad
289 will not delete the auto-generated Netfilter chains (see the IPT_AUTO_CHAIN
290 keywords in psad.conf) if the --Flush option is given. The --fw-del-chains
291 option overrides this behavior and deletes the auto-blocking chains from a
292 running Netfilter firewall.
293 .TP
a0c0a0d @mrash added --fw-dump arg, fixed --Dump-conf to santize output
authored
294 .BR \-\^\-fw-dump
295 Instruct
296 .B psad
297 to dump the contents of the Netfilter policy that is running on the local
298 system. All IP addresses are removed from the resulting output, so it is
299 safe to post to the psad list, or communicate to others. This option is
300 most often used with --Dump-conf.
301 .TP
345b895 @mrash added --fw-del-chains, --fw-list-auto, and --fw-block-ip options
authored
302 .BR \-\^\-fw-block-ip\ \<ip>
303 Specify an IP address or network to add to the Netfilter controls that are
304 auto-generated by psad. This allows psad to manage the rule timeouts.
305 .TP
df88a04 @mrash minor doc updates
authored
306 .BR \-\^\-fw-rm-block-ip\ \<ip>
307 Specify an IP address or network to remove from the Netfilter controls that
308 are auto-generated by psad.
309 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
310 .BR \-\^\-fw-file\ \<policy-file>
7def8d3 @mrash 1.3 updates
authored
311 Analyze the iptables ruleset contained within
312 .B policy-file
313 instead of the ruleset currently loaded on the local system.
314 .TP
9c328e9 @mrash added the --interface command line arg, and switched --interval to --…
authored
315 .BR \-I "\fR,\fP " \-\^\-Interval\ \<seconds>
8ab887a @mrash updated to new command line options
authored
316 Specify the interval (in seconds) that psad should use to
045d535 @mrash updated to refer to firewall log messages instead of packets necessar…
authored
317 check whether or not packets have been logged by the
fffdfae @mrash better DESCRIPTION section
authored
318 firewall.
319 .B psad
320 will use the default of 15 seconds unless a
8ab887a @mrash updated to new command line options
authored
321 different value is specified.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
322 .TP
323 .BR \-U ", " \-\^\-USR1
324 Send a running psad process a USR1 signal. This will cause psad to
325 dump the contents of the %Scan hash to the file "/var/log/psad/scan_hash.$$"
326 where "$$" represents the pid of the psad process. This is mostly
327 useful for debugging purposes, but it also allows the administrator to
328 peer into the %Scan hash, which is the primary data structure used to
329 store scan data within system memory.
330 .TP
3e19f88 @mrash added -H option
authored
331 .BR \-H ", " \-\^\-HUP
332 Send all running psad daemons a HUP signal. This will instruct the
333 daemons to re-read their respective configuration files without causing
334 scan data to be lost in the process.
335 .TP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
336 .BR \-d ", " \-\^\-debug
fd50dc8 @mrash minor whitespace fixes
authored
337 Run psad in debugging mode. This will automatically prevent
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
338 psad from running as a daemon, and will print the contents
339 of the %Scan hash and a few other things on STDOUT at crucial
340 points as psad executes.
341 .TP
416723f @mrash updated to include fwsnort options
authored
342 .BR \-D ", " \-\^\-Dump-conf
a0c0a0d @mrash added --fw-dump arg, fixed --Dump-conf to santize output
authored
343 Dump the current psad config to STDOUT and exit. Various pieces of information
344 such as the home network, alert email addresses, and DShield user id are removed
345 from the resulting output so it is safe to send to others.
416723f @mrash updated to include fwsnort options
authored
346 .TP
347 .BR \-l ", " \-\^\-log-server
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
348 This option should be used if psad is being executed on a syslog
fd50dc8 @mrash minor whitespace fixes
authored
349 logging server. Running psad on a logging server requires that
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
350 check_firewall_rules() and auto_psad_response() not be executed
351 since the firewall is probably not being run locally.
352 .TP
8ab887a @mrash updated to new command line options
authored
353 .BR \-V ", " \-\^\-Version
354 Print the psad version and exit.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
355 .TP
f3e6cfb @mrash updated man page and made some minor comment updates
authored
356 .BR \-\^\-no-daemon
7def8d3 @mrash 1.3 updates
authored
357 Do not run psad as a daemon. This option will display scan
358 alerts on STDOUT instead of emailing them out.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
359 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
360 .BR \-\^\-no-ipt-errors
416723f @mrash updated to include fwsnort options
authored
361 Occasionally iptables messages written by syslog to
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
362 .B /var/lib/psad/psadfifo
363 or to
364 .B /var/log/messages
8ab887a @mrash updated to new command line options
authored
365 do not conform to the normal firewall logging format if the kernel
fffdfae @mrash better DESCRIPTION section
authored
366 ring buffer used by klogd becomes full.
367 .B
368 psad
369 will write these message to
5e15872 @mrash many updated and bug fixes for missed and new options
authored
370 .B /var/log/psad/errs/fwerrorlog
371 by default. Passing the --no-ipt-errors option will make psad ignore
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
372 all such erroneous firewall messages.
373 .TP
f3e6cfb @mrash updated man page and made some minor comment updates
authored
374 .BR \-\^\-no-whois
5e15872 @mrash many updated and bug fixes for missed and new options
authored
375 By default psad will issue a whois query against any IP from which
5cbc10b @mrash more doc updates to remove _ chars
authored
376 a scan has originated, but this can be disabled with the --no-whois
8ab887a @mrash updated to new command line options
authored
377 command line argument.
378 .TP
f3e6cfb @mrash updated man page and made some minor comment updates
authored
379 .BR \-\^\-no-fwcheck
8ab887a @mrash updated to new command line options
authored
380 psad performs a rudimentary check of the firewall ruleset that
381 exists on the machine on which psad is deployed to determine
5e15872 @mrash many updated and bug fixes for missed and new options
authored
382 whether or not the firewall has a compatible configuration (i.e.
383 iptables has been configured to log packets). Passing the
384 --no-fwcheck or --log-server options will disable this check.
385 .TP
386 .BR \-\^\-no-auto-dl
387 Disable auto danger level assignments. This will instruct to not import
388 any IP addresses or networks from the file
71c439e @mrash updated file paths
authored
389 .B /etc/psad/auto_dl.
8ab887a @mrash updated to new command line options
authored
390 .TP
b3b00da @mrash updated to --no-snort-sids option
authored
391 .BR \-\^\-no-snort-sids
392 Disable snort sid processing mode. This will instruct psad to not import
393 snort rules (for snort SID matching in a policy generated by
394 .B fwsnort
395 ).
396 .TP
7577201 @mrash added --no-icmp-types and a few other blurbs
authored
397 .BR \-\^\-no-signatures
398 Disable psad signature processing. Note that this is independent of
399 snort SID matching in iptables messages generated by
400 .B fwsnort
401 and also from the icmp type/code validation routines.
402 .TP
403 .BR \-\^\-no-icmp-types
404 Disable icmp type and code field validation.
405 .TP
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
406 .BR \-\^\-no-passive-os
407 By default psad will attempt to passively (i.e. without sending
408 any packets) fingerprint the remote operating system from which
409 a scan originates. Passing the --no-passive-os option will
410 disable this feature.
411 .TP
f3e6cfb @mrash updated man page and made some minor comment updates
authored
412 .BR \-\^\-no-rdns
fffdfae @mrash better DESCRIPTION section
authored
413 .B psad
414 normally attempts to find the name associated with a
5e15872 @mrash many updated and bug fixes for missed and new options
authored
415 scanning IP address, but this feature can be disabled with
5cbc10b @mrash more doc updates to remove _ chars
authored
416 the --no-rdns command line argument.
8ab887a @mrash updated to new command line options
authored
417 .TP
7577201 @mrash added --no-icmp-types and a few other blurbs
authored
418 .BR \-\^\-no-kmsgsd
419 Disable startup of kmsgsd. This option is most useful for debugging
420 with individual iptables messages so that new messages are not appended
421 to the
422 .B /var/log/psad/fwdata
423 file.
424 .TP
f3e6cfb @mrash updated man page and made some minor comment updates
authored
425 .BR \-\^\-no-netstat
8ab887a @mrash updated to new command line options
authored
426 By default for iptables firewalls psad will determine whether
427 or not your machine is listening on a port for which a tcp
fd50dc8 @mrash minor whitespace fixes
authored
428 signature has been matched. Specifying --no-netstat
8ab887a @mrash updated to new command line options
authored
429 disables this feature.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
430 .TP
431 .BR \-h ", " \-\^\-help
432 Print a page of usage information for psad and exit.
433 .SH FILES
7def8d3 @mrash 1.3 updates
authored
434 .B /etc/psad/psad.conf
435 .RS
5e15872 @mrash many updated and bug fixes for missed and new options
authored
436 The main psad configuration file which contains configuration variables
7def8d3 @mrash 1.3 updates
authored
437 mentioned in the section below.
438 .RE
439
5e15872 @mrash many updated and bug fixes for missed and new options
authored
440 .B /etc/psad/fw_search.conf
441 .RS
442 Used to configure the strategy both
443 .B psad
444 and
445 .B kmsgsd
446 employ to parse iptables messages. Using configuration directive within
447 this file, psad can be configured to parse all iptables messages or only
448 those that match specific log prefix strings (see the --log-prefix option
449 to iptables).
450 .RE
451
71c439e @mrash updated file paths
authored
452 .B /etc/psad/signatures
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
453 .RS
5e15872 @mrash many updated and bug fixes for missed and new options
authored
454 Contains the signatures
455 .B psad
456 uses to recognize nasty traffic. The
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
457 signatures are written in a manner similar to the *lib signature
a7fd353 @mrash minor case change
authored
458 files used in the snort IDS.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
459 .RE
460
71c439e @mrash updated file paths
authored
461 .B /etc/psad/icmp_types
7577201 @mrash added --no-icmp-types and a few other blurbs
authored
462 .RS
463 Contains all valid icmp types and corresponding codes as defined by RFC 792.
464 By default, icmp packets are validated against these values and an alert
465 will be generated if a non-matching icmp packet is logged by iptables.
466 .RE
467
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
468 .B /etc/psad/snort_rules/*.rules
469 .RS
b3b00da @mrash updated to --no-snort-sids option
authored
470 Snort rules files that are consulted by default unless the --no-snort-sids
471 commmand line argument is given.
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
472 .RE
473
71c439e @mrash updated file paths
authored
474 .B /etc/psad/auto_dl
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
475 .RS
5e15872 @mrash many updated and bug fixes for missed and new options
authored
476 Contains a listing of any IP addresses that should be assigned
045d535 @mrash updated to refer to firewall log messages instead of packets necessar…
authored
477 a danger level based on any traffic that is logged by the
5e15872 @mrash many updated and bug fixes for missed and new options
authored
478 firewall. The syntax is "<IP address> <danger level>" where
8ab887a @mrash updated to new command line options
authored
479 <danger level> is an integer from 0 to 5, with 0 meaning to ignore
5e15872 @mrash many updated and bug fixes for missed and new options
authored
480 all traffic from <IP address>, and 5 is to assign the highest danger
481 level to <IP address>.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
482 .RE
483
71c439e @mrash updated file paths
authored
484 .B /etc/psad/posf
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
485 .RS
486 Contains a listing of all passive operating system fingerprinting
487 signatures. These signatures include packet lengths, ttl, tos,
5e15872 @mrash many updated and bug fixes for missed and new options
authored
488 IP id, and tcp window size values that are specific to various
fec9fb8 @mrash updated man page to include passive OS fingerprinting
authored
489 operating systems.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
490 .SH PSAD CONFIGURATION VARIABLES
5e15872 @mrash many updated and bug fixes for missed and new options
authored
491 This section describes what each of the more important
492 .B psad
493 configuration variables do and how they can be tuned to meet your
494 needs. Most of the variables are located in the
495 .B psad
496 configuration file
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
497 .B /etc/psad/psad.conf
5e15872 @mrash many updated and bug fixes for missed and new options
authored
498 but the FW_SEARCH_ALL and FW_MSG_SEARCH variables are located in the
499 file
500 .B /etc/psad/fw_search.conf.
501 Each variable is assigned sensible defaults for most network
928ea91 @mrash config docs update
authored
502 architectures during the install process. More information on psad config
503 keywords may be found at:
504 .B http://www.cipherdyne.org/psad/config.html
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
505 .TP
fd3f132 @mrash added EMAIL_ADDRESSES var
authored
506 .BR EMAIL_ADDRESSES
507 Contains a comma-separated list of email addresses to which email alerts
508 will be sent. The default is "root@localhost".
509 .TP
0984a86 @mrash added HOSTNAME and HOME_NET vars
authored
510 .BR HOSTNAME
5e15872 @mrash many updated and bug fixes for missed and new options
authored
511 Defines the hostname of the machine on which
512 .B psad is running. This will be
0984a86 @mrash added HOSTNAME and HOME_NET vars
authored
513 used in the email alerts generated by psad.
514 .TP
515 .BR HOME_NET
516 Define the internal network(s) that are connected to the local system.
517 This will be used in the signature matching code to determine whether traffic
518 matches snort rules, which invariably contain a source and destination
519 network. Multiple networks are supported as a comma separated list, and
520 each network should be specified in CIDR notation. Normally the network(s)
521 contained in the HOME_NET variable should be directly connected to the
522 machine that is running psad.
523 .TP
6cfcd00 @mrash added blurb on IMPORT_OLD_SCANS config variable
authored
524 .BR IMPORT_OLD_SCANS
525 Preserve scan data across restarts of
526 .B psad
527 or even across reboots of the machine. This is accomplished by importing
528 the data contained in the filesystem cache psad writes to during normal
529 operation back into memory as psad is started. The filesystem cache data
530 in contained within the directory
531 .B /var/log/psad.
532 .TP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
533 .BR FW_SEARCH_ALL
534 Defines the search mode
535 .B psad
536 uses to parse iptables messages. By default FW_SEARCH_ALL is set to "Y"
537 since normally most people want all iptables log messages to be parsed for
538 scan activity. However, if FW_SEARCH_ALL is set to "N", psad
539 will only parse those iptables log messages that match certain search
540 strings that appear in iptables logs with the --log-prefix option. This is
541 useful for restricting psad to only operate on specific iptables chains or
542 rules. The strings that will be searched for are defined with the FW_MSG_SEARCH
543 variable (see below). The FW_SEARCH_ALL variable is defined in the file
544 .B /etc/psad/fw_search.conf
545 since it is referenced by both psad and kmsgsd.
546 .TP
547 .BR FW_MSG_SEARCH
548 Defines a set of search strings that
549 .B psad
550 uses to identify iptables messages that should be parsed for scan activity.
551 These search strings should match the log prefix strings specified
552 in the iptables ruleset with the --log-prefix option, and the default value
553 for FW_MSG_SEARCH is "DROP". Note that
554 .B psad
555 normally parses all iptables messages, and so the FW_MSG_SEARCH variable
556 is only needed if FW_SEARCH_ALL (see above) is set to "N". The FW_MSG_SEARCH
557 variable is referenced by both
558 .B psad
559 and
560 .B kmsgsd
561 so it lives in the file
562 .B /etc/psad/fw_search.conf.
563 .TP
20ba370 @mrash added SYSLOG_DAEMON and IGNORE_PORTS vars
authored
564 .BR SYSLOG_DAEMON
565 Define the specific syslog daemon that
566 .B psad
567 should interface with. Psad supports three syslog daemons:
568 .B syslogd,
569 .B syslog-ng,
570 and
571 .B metalog.
572 The default value of SYSLOG_DAEMON is
573 .B syslogd.
574 .TP
575 .BR IGNORE_PORTS
576 Specify a list of port ranges and/or individual ports and corresponding protocols
577 that
578 .B psad
579 should complete ignore. This is particularly useful for ignore ports that are
580 used as a part of a port knocking scheme (such as
581 .B fwknop
e8e6569 @mrash minor URL fixes
authored
582 http://www.cipherdyne.org/fwknop/) for network authentication since such log
20ba370 @mrash added SYSLOG_DAEMON and IGNORE_PORTS vars
authored
583 messages generated by the knock sequence may otherwise be interpreted as a scan.
584 Multiple ports and/or port ranges may be specified as a comma-separated list, e.g.
585 "tcp/22, tcp/61000-61356, udp/53".
586 .TP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
587 .BR ENABLE_PERSISTENCE
fa829d6 @mrash minor comment fixes
authored
588 If "Y", psad will keep all scans in memory and not let them timeout.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
589 This can help discover stealthy scans where an attacker tries to slip beneath
590 IDS thresholds by only scanning a few ports over a long period of time.
8ab887a @mrash updated to new command line options
authored
591 ENABLE_PERSISTENCE is set to "Y" by default.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
592 .TP
593 .BR SCAN_TIMEOUT
594 If ENABLE_PERSISTENCE is "N" then psad will use the value set by SCAN_TIMEOUT
595 to remove packets from the scan threshold calculation. The default is 3600
596 seconds (1 hour).
597 .TP
598 .BR DANGER_LEVEL{1,2,3,4,5}
e0f622f @mrash re-wording for the DANGER_LEVEL variable discussion
authored
599 psad uses a scoring system to keep track of the severity a scans reaches
600 (represented as a "danger level") over time. The DANGER_LEVEL{n} variables
601 define the number of packets that must be dropped by the firewall before psad
602 will assign the respective danger level to the scan. A scan may also be
603 assigned a danger level if the scan matches a particular signature contained
604 in the
71c439e @mrash updated file paths
authored
605 .B signatures
e0f622f @mrash re-wording for the DANGER_LEVEL variable discussion
authored
606 file. There are five
607 possible danger levels with one being the lowest and five the highest.
608 Note there are several factors that can influence how danger levels are
609 calculated: whether or not a scan matches a signature listed in
71c439e @mrash updated file paths
authored
610 .B /etc/psad/signatures,
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
611 the value of PORT_RANGE_SCAN_THRESHOLD (see below), whether or not a scan comes
5e15872 @mrash many updated and bug fixes for missed and new options
authored
612 from an IP that is listed in the
71c439e @mrash updated file paths
authored
613 .B /etc/psad/auto_dl
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
614 file, and finally whether or not scans are allowed to timeout
615 as determined by SCAN_TIMEOUT above. If a signature is matched or the scanning
5e15872 @mrash many updated and bug fixes for missed and new options
authored
616 IP is listed in
71c439e @mrash updated file paths
authored
617 .B /etc/psad/auto_dl,
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
618 then the corresponding danger level is automatically assigned to the scan.
619 .TP
620 .BR PORT_RANGE_SCAN_THRESHOLD
621 Defines the minimum difference between the lowest port and the highest port
622 scanned before an alert is sent (the default is 1 which means that at least
623 two ports must be scanned to generate an alert). For example, suppose an ip
624 repeatedly scans a single port for which there is no special signature in
71c439e @mrash updated file paths
authored
625 .B signatures.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
626 Then if PORT_RANGE_SCAN_THRESHOLD=1, psad will never send
627 an alert for this "scan" no matter how many packets are sent to the port (i.e.
628 no matter what the value of DANGER_LEVEL1 is). The reason for the default of
629 1 is that a "scan" usually means that at least two ports are probed, but if
630 you want psad to be extra paranoid you can set PORT_RANGE_SCAN_THRESHOLD=0
631 to alert on scans to single ports (as long as the number of packets also
632 exceeds DANGER_LEVEL1).
633 .TP
634 .BR SHOW_ALL_SIGNATURES
fa829d6 @mrash minor comment fixes
authored
635 If "Y", psad will display all signatures detected from a single scanning
5e15872 @mrash many updated and bug fixes for missed and new options
authored
636 IP since a scan was first detected instead of just displaying newly-detected
fd50dc8 @mrash minor whitespace fixes
authored
637 signatures. SHOW_ALL_SIGNATURES is set to "N" by default. All signatures are
8ab887a @mrash updated to new command line options
authored
638 listed in the file
71c439e @mrash updated file paths
authored
639 .B /etc/psad/signatures.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
640 .TP
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
641 .BR SNORT_SID_STR
642 Defines the string kmsgsd will search for in iptables log messages that are
643 generated by iptables rules designed to detect snort rules. The default is
644 "SID". See
645 .B fwsnort
88e1e10 @mrash changed all cipherdyne.com references to cipherdyne.org
authored
646 (http://www.cipherdyne.org/fwsnort/).
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
647 .TP
2303393 @mrash added dshield blurb
authored
648 .BR ENABLE_DSHIELD_ALERTS
649 Enable dshield alerting mode. This will send a parsed version of iptables log
650 messages to dshield.org which is a (free) distributed intrusion detection service.
e8e6569 @mrash minor URL fixes
authored
651 For more information, see http://www.dshield.org/
2303393 @mrash added dshield blurb
authored
652 .TP
26077fd @mrash added IGNORE_CONNTRACK_BUG_PKTS
authored
653 .BR IGNORE_CONNTRACK_BUG_PKTS
654 If "Y", all tcp packets that have the ACK or RST flag bits set will be ignored
655 by psad since usually we see such packets being blocked as a result of the
656 iptables connection tracking bug. Note there are no signatures that make use
657 of the RST flag and very few that use ACK flag.
658 .TP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
659 .BR ALERT_ALL
660 If "Y", send email for all new bad packets instead of just when a danger
8ab887a @mrash updated to new command line options
authored
661 level increases. ALERT_ALL is set to "Y" by default.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
662 .TP
663 .BR PSAD_EMAIL_LIMIT
664 Defines the maximum number of emails that will be sent for a single scanning
5e15872 @mrash many updated and bug fixes for missed and new options
authored
665 IP (default is 50). This variable gives you some protection from psad
fffdfae @mrash better DESCRIPTION section
authored
666 sending countless alerts if an IP scans your machine constantly.
667 .B psad
5e15872 @mrash many updated and bug fixes for missed and new options
authored
668 will send a special alert if an IP has exceeded the email limit. If
8ab887a @mrash updated to new command line options
authored
669 PSAD_EMAIL_LIMIT is set to zero, then psad will ignore the limit and send
670 alert emails indefinitely for any scanning ip.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
671 .TP
672 .BR EMAIL_ALERT_DANGER_LEVEL
673 Defines the danger level a scan must reach before any alert is sent.
bd237fe @mrash minor spacing fixes
authored
674 This variable is set to 1 by default.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
675 .TP
676 .BR ENABLE_AUTO_IDS
677 .B psad
5e15872 @mrash many updated and bug fixes for missed and new options
authored
678 has the capability of dynamically blocking all traffic from an IP that
303b03b @mrash finished removing ipchains stuff
authored
679 has reached a (configurable) danger level through modification of iptables
680 or tcpwrapper rulesets.
ee697eb @mrash minor wording fix
authored
681 .B IMPORTANT:
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
682 This feature is disabled by default since it is possible for an attacker
683 to spoof packets from a well known (web)site in an effort to make it
684 look as though the site is scanning your machine, and then psad will
685 consequently block all access to it. Also, psad works by parsing firewall
686 messages for packets the firewall has already dropped, so the "scans" are
ee697eb @mrash minor wording fix
authored
687 unsuccessful anyway. However, some administrators prefer to take this risk
688 anyway reasoning that they can always review which sites are being blocked
689 and manually remove the block if necessary (see the
690 .B --Flush
691 option). Your mileage will vary.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
692 .TP
693 .BR AUTO_IDS_DANGER_LEVEL
694 Defines the danger level a scan must reach before psad will automatically
5e15872 @mrash many updated and bug fixes for missed and new options
authored
695 block the IP (ENABLE_AUTO_IDS must be set to "Y").
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
696 .SH EXAMPLES
697 The following examples illustrate the command line arguments that could
698 be supplied to psad in a few situations:
63a546f @mrash format fixes
authored
699 .PP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
700 Signature checking, passive OS fingerprinting, and automatic IP danger
701 level assignments are enabled by default without having to specify any
702 command line arguments (best for most situations):
63a546f @mrash format fixes
authored
703 .PP
69d41c6 @mrash added # prompt to examples
authored
704 .B # psad
63a546f @mrash format fixes
authored
705 .PP
6cfcd00 @mrash added blurb on IMPORT_OLD_SCANS config variable
authored
706 Same as above, but this time we use the init script to start psad:
63a546f @mrash format fixes
authored
707 .PP
6cfcd00 @mrash added blurb on IMPORT_OLD_SCANS config variable
authored
708 .B # /etc/init.d/psad start
63a546f @mrash format fixes
authored
709 .PP
0e32a20 @mrash updated to psad_auto_dl from psad_auto_ips
authored
710 Use psad as a forensics tool to analyze an old iptables logfile (psad defaults
711 to analyzing the
712 .B /var/log/messages
713 file if the -m option is not specified):
63a546f @mrash format fixes
authored
714 .PP
0e32a20 @mrash updated to psad_auto_dl from psad_auto_ips
authored
715 .B # psad -A -m <iptables logfile>
63a546f @mrash format fixes
authored
716 .PP
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
717 The
718 .B psad.conf,
71c439e @mrash updated file paths
authored
719 .B signatures,
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
720 and
71c439e @mrash updated file paths
authored
721 .B auto_dl
8e6055d @mrash added FW_MSG_SEARCH and SNORT_SID_STR
authored
722 files are normally
69d41c6 @mrash added # prompt to examples
authored
723 located within the /etc/psad/ directory, but the paths to each of these
8ab887a @mrash updated to new command line options
authored
724 files can be changed:
63a546f @mrash format fixes
authored
725 .PP
69d41c6 @mrash added # prompt to examples
authored
726 .B # psad -c <config file> -s <signatures file> -a <auto ips file>
63a546f @mrash format fixes
authored
727 .PP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
728 Disable the firewall check and the local port lookup subroutines; most useful
729 if psad is deployed on a syslog logging server:
63a546f @mrash format fixes
authored
730 .PP
5cbc10b @mrash more doc updates to remove _ chars
authored
731 .B # psad --log-server --no-netstat
63a546f @mrash format fixes
authored
732 .PP
5e15872 @mrash many updated and bug fixes for missed and new options
authored
733 Disable reverse dns and whois lookups of scanning IP addresses; most useful
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
734 if speed of psad is the main concern:
63a546f @mrash format fixes
authored
735 .PP
5cbc10b @mrash more doc updates to remove _ chars
authored
736 .B # psad --no-rdns --no-whois
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
737 .SH DEPENDENCIES
738 .B psad
303b03b @mrash finished removing ipchains stuff
authored
739 requires that iptables is configured with a "drop and log" policy for any
740 traffic that is not explicitly allowed through. This is consistent with a
741 secure network configuration since all traffic that has not been explicitly
742 allowed should be blocked by the firewall ruleset. By default, psad attempts
743 to determine whether or not the firewall has been configured in this way. This
744 feature can be disabled with the --no-fwcheck or --log-server options. The
745 --log-server option is useful if psad is running on a syslog logging server
746 that is separate from the firewall. For more information on compatible iptables
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
747 rulesets, see the
748 .B FW_EXAMPLE_RULES
749 file that is bundled with the psad source distribution.
63a546f @mrash format fixes
authored
750 .PP
1c1db86 @mrash added a note on the syslog dependency
authored
751 .B psad
752 also requires that syslog be configured to write all kern.info messages to
753 the named pipe
a646d5d @mrash fixed psadfifo path
authored
754 \fB/var/lib/psad/psadfifo\fR. A simple
1c1db86 @mrash added a note on the syslog dependency
authored
755 .IP
a646d5d @mrash fixed psadfifo path
authored
756 .B echo -e 'kern.info\\\\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf
1c1db86 @mrash added a note on the syslog dependency
authored
757 .PP
fd50dc8 @mrash minor whitespace fixes
authored
758 will do. Remember also to restart \fBsyslog\fR after the changes to
1c1db86 @mrash added a note on the syslog dependency
authored
759 this file.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
760 .SH DIAGNOSTICS
761 The --debug option can be used to display crucial information
762 about the psad data structures on STDOUT as a scan generates firewall
fd50dc8 @mrash minor whitespace fixes
authored
763 log messages. --debug disables daemon mode execution.
63a546f @mrash format fixes
authored
764 .PP
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
765 Another more effective way to peer into the runtime execution of psad
766 is to send (as root) a USR1 signal to the psad process which will
767 cause psad to dump the contents of the %Scan hash to
768 .B /var/log/psad/scan_hash.$$
769 where
770 .B $$
771 represents the pid of the psad process.
772 .SH "SEE ALSO"
773 .BR iptables (8),
f57bc3f @mrash minor wording bugfix
authored
774 .BR kmsgsd (8),
775 .BR psadwatchd (8),
7577201 @mrash added --no-icmp-types and a few other blurbs
authored
776 .BR fwsnort (8),
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
777 .BR snort (8),
b24b7df @mrash added p0f reference
authored
778 .BR nmap (1).
779 .BR p0f (1)
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
780 .SH AUTHOR
88e1e10 @mrash changed all cipherdyne.com references to cipherdyne.org
authored
781 Michael Rash <mbr@cipherdyne.org>
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
782 .SH BUGS
88e1e10 @mrash changed all cipherdyne.com references to cipherdyne.org
authored
783 Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
784 always welcome as well.
63a546f @mrash format fixes
authored
785 .PP
02b10f4 @mrash documentation updates
authored
786 -For iptables firewalls as of Linux kernel version 2.4.26, if the ip_conntrack
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
787 module is loaded (or compiled into the kernel) and the firewall has been
788 configured to keep state of connections, occasionally packets that are supposed
789 to be part of normal TCP traffic will not be correctly identified due to a bug
beaf718 @mrash minor rewording
authored
790 in the firewall state timeouts and hence dropped. Such packets will then be
791 interpreted as a scan by psad even though they are not part of any malicious
792 activity. Fortunately, an interim fix for this problem is to simply extend the
793 TCP_CONNTRACK_CLOSE_WAIT timeout value in
794 linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 60 seconds to 2 minutes,
8efc070 @mrash minor comment update for the patches/ directory
authored
795 and a set of kernel patches is included within the patches/ directory in the
796 psad sources to change this. (Requires a kernel recompile of course; see the
797 Kernel-HOWTO.) Also, by default the IGNORE_CONNTRACK_BUG_PKTS variable is set
798 to "Y" in psad.conf which causes psad to ignore all tcp packets that have the
799 ACK bit set unless the packets match a specific signature.
d48cd4b @mrash re-instated psad.8, gzip should be handled by install.pl
authored
800 .SH DISTRIBUTION
801 .B psad
802 is distributed under the GNU General Public License (GPL), and the latest
928ea91 @mrash config docs update
authored
803 version may be downloaded from:
e8e6569 @mrash minor URL fixes
authored
804 .B http://www.cipherdyne.org/
Something went wrong with that request. Please try again.