Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 380 lines (316 sloc) 15.681 kb
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
1 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
2 ##############################################################################
aa2e53d @mrash Added $FW_MSG_SEARCH
authored
3 #
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
4 # This is the configuration file for psad (the Port Scan Attack Detector).
5 # Normally this file gets installed at /etc/psad/psad.conf, but can be put
6 # anywhere in the filesystem and then the path can be specified on the
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
7 # command line argument "-c <file>" to psad. Note that there are also
8 # config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd
9 # respectively. There is also one additional config file "fw_search.conf"
10 # that is read by both psad and kmsgsd and defines the strategy psad uses to
7266e91 @mrash .
authored
11 # search through iptables log messages. The syntax of psad.conf (as well
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
12 # as each of the other config files) is as follows:
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
13 #
0730ed1 @mrash minor formatting bugfix
authored
14 # Each line has the form "<variable name> <value>;". Note the semi-
ff246fe @mrash The C version of psadwatchd is almost finished
authored
15 # colon after the <value>. All characters after the semicolon will be
4745d16 @mrash updated to check the actual value of SHOW_ALL_SIGNATURES
authored
16 # ignored to provide space for comments.
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
17 #
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
18 ##############################################################################
f9821d6 @mrash minor comment fixes
authored
19 #
20 # $Id$
21 #
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
22
d50ca4d @mrash -Reworked file and directory sections.
authored
23 ### Supports multiple email addresses (as a comma separated
24 ### list).
25 EMAIL_ADDRESSES root@localhost;
26
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with machine...
authored
27 ### Machine hostname
4c5ef4f @mrash stubbed in the _INTF variables
authored
28 HOSTNAME _CHANGEME_;
29
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed PSA...
authored
30 ### Specify the home network. This variable is used to identify
b72043a @mrash replace INTF vars with HOME_NET
authored
31 ### traffic that matches snort rules in the iptables FORWARD chain.
32 ### Traffic that is directed to, or originates from, the firewall
33 ### itself (i.e. in the INPUT or OUTPUT chains respectively) is
34 ### treated as traffic to or from the HOME_NET by default and hence
35 ### even if the HOME_NET variable is not defined, psad will still
36 ### be able to detect matching scans. A syslog and email warning
37 ### message will be generated if this variable is not defined.
38 ### Normally the network(s) specified here should match a directly
39 ### network(s) on the local machine. Multiple networks are supported
40 ### as a comma separated list. The network(s) should be specified
41 ### in CIDR notation. The following two lines provide example
6923d47 @mrash added text for the possibility that HOME_NET might be set to NOT_USED
authored
42 ### definitions for the HOME_NET variable. NOTE: The HOME_NET
43 ### variable is not used if there is only one network interface on
44 ### the system (i.e. no traffic will be logged via iptables through
45 ### the FORWARD chain). If there is only one network interface on
46 ### the box, then just set this variable to "NOT_USED".
47
b72043a @mrash replace INTF vars with HOME_NET
authored
48 ### HOME_NET 192.168.10.4/24;
49 ### HOME_NET 10.1.1.0/24, 192.168.10.4/24;
6923d47 @mrash added text for the possibility that HOME_NET might be set to NOT_USED
authored
50 ### HOME_NET NOT_USED; ### only one interface on box
b72043a @mrash replace INTF vars with HOME_NET
authored
51 HOME_NET _CHANGEME_;
3e3f1fb @mrash completely reworked how psad, diskmond, and psadwatchd deal with machine...
authored
52
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed PSA...
authored
53 ### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable
54 ### is now located in the file /etc/psad/fw_search.conf. Edit this
55 ### file to configure search strings for psad. The change was made so
02b10f4 @mrash documentation updates
authored
56 ### that a single file could be referenced by both psad and kmsgsd for
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed PSA...
authored
57 ### search strings in iptables messages.
58
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
59 ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
88096fa @mrash updated to truncate fwdata file by default
authored
60 ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
61 ### or ### metalog.
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
62 SYSLOG_DAEMON syslogd;
63
48facb7 @mrash commented out ipchains command path
authored
64 ### Danger levels. These represent the total number of
65 ### packets required for a scan to reach each danger level.
66 ### A scan may also reach a danger level if the scan trips
67 ### a signature or if the scanning ip is listed in
bda1be3 @mrash minor filename updates
authored
68 ### auto_ips so a danger level is automatically
48facb7 @mrash commented out ipchains command path
authored
69 ### assigned.
d50ca4d @mrash -Reworked file and directory sections.
authored
70 DANGER_LEVEL1 5; ### Number of packets.
bde4c66 @mrash better threshold values (reduced packet counts) for danger levels
authored
71 DANGER_LEVEL2 15;
72 DANGER_LEVEL3 150;
73 DANGER_LEVEL4 1500;
d50ca4d @mrash -Reworked file and directory sections.
authored
74 DANGER_LEVEL5 10000;
75
76 ### Set the interval (in seconds) psad will use to sleep before
77 ### checking for new iptables log messages
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
78 CHECK_INTERVAL 5;
d50ca4d @mrash -Reworked file and directory sections.
authored
79
37e720c @mrash updated to correct dshield reporting address
authored
80 ### Search for snort "sid" values generated by fwsnort
81 ### or snort2iptables
82 SNORT_SID_STR SID;
e74b67f @mrash added variables for external script execution
authored
83
d50ca4d @mrash -Reworked file and directory sections.
authored
84 ### Set the minimum range of ports that must be scanned before
85 ### psad will send an alert. The default is 1 so that at
86 ### least two port must be scanned (p2-p1 >= 1). This can be set
87 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
88 PORT_RANGE_SCAN_THRESHOLD 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
89
2187e5b @mrash removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed PSA...
authored
90 ### If "Y", means that scans will never timeout. This is useful
91 ### for catching scans that take place over long periods of time
92 ### where the attacker is trying to slip beneath the IDS thresholds.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
93 ENABLE_PERSISTENCE Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
94
fd67591 @mrash added DSHIELD vars
authored
95 ### This is used only if ENABLE_PERSISTENCE = "N";
39fe310 @mrash added blank lines to make psad.conf more readable
authored
96 SCAN_TIMEOUT 3600; ### seconds
97
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
98 ### If "Y", means all signatures will be shown since
99 ### the scan started instead of just the current ones.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
100 SHOW_ALL_SIGNATURES N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
101
65a0ff9 @mrash added MAX_HOPS
authored
102 ### TTL values are decremented depending on the number of hops
103 ### the packet has taken before it hits the firewall. We will
104 ### assume packets will not jump through more than 20 hops on
105 ### average.
106 MAX_HOPS 20;
107
ef68d1e @mrash added the CONNTRACK_BUG option to ignore tcp packets with the ack bit se...
authored
108 ### XXX: try to mitigate the affects of the iptables connection
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
109 ### tracking bug by ignoring tcp packets that have the ack bit set.
d50ca4d @mrash -Reworked file and directory sections.
authored
110 ### Read the "BUGS" section of the psad man page. Note that
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
111 ### if a packet matches a snort SID generated by fwsnort (see
112 ### http://www.cipherdyne.org/fwsnort/)
113 ### then psad will see it even if the ack bit is set. See the
114 ### SNORT_SID_STR variable.
0a16050 @mrash changed CONNTRACK_BUG to IGNORE_CONNTRACK_BUG_PKTS
authored
115 IGNORE_CONNTRACK_BUG_PKTS Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
116
09dae41 @mrash added the IGNORE_PORTS variable
authored
117 ### define a set of ports to ignore (this is useful particularly
118 ### for port knocking applications since the knock sequence will
119 ### look to psad like a scan). This variable may be defined as
120 ### a comma-separated list of port numbers or port ranges and
121 ### corresponding protocol, For example, to have psad ignore all
122 ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
123 ### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
124 IGNORE_PORTS NONE;
125
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
126 ### allow entire protocols to be ignored. This keyword can accept
127 ### a comma separated list of protocols. Each protocol must match
f9c15a4 @mrash bugfix for various IGNORE_ keywords not being honored
authored
128 ### the protocol that is specified in a Netfilter log message (case
129 ### insensitively, so both "TCP" or "tcp" is ok).
130 ### IGNORE_PROTOCOL tcp,udp;
2458fcc @mrash updated to IGNORE_PROTOCOLS
authored
131 IGNORE_PROTOCOLS NONE;
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
132
b405a6b @mrash Added IGNORE_INTERFACES keyword to allow packets that appear on specific...
authored
133 ### allow packets to be ignored based on interface (this is the
134 ### "IN" interface in Nefilter logging messages).
135 IGNORE_INTERFACES NONE;
136
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
137 ### Send email alert if danger level >= to this value.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
138 EMAIL_ALERT_DANGER_LEVEL 1;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
139
495fb9b @mrash updated to include MAC address reporting
authored
140 ### Include MAC addresses in email alert
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP sig...
authored
141 ENABLE_MAC_ADDR_REPORTING N;
495fb9b @mrash updated to include MAC address reporting
authored
142
b2b68cf @mrash Added ENABLE_FW_LOGGING_CHECK keyword
authored
143 ### Look for the Netfilter logging rule (fwcheck_psad is executed)
144 ENABLE_FW_LOGGING_CHECK Y;
145
35eb021 @mrash finished new config architecture, configfile will automatically be impor...
authored
146 ### Send no more than this number of emails for a single
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
147 ### scanning source IP. Note that enabling this feature may cause
148 ### alerts for real attacks to not be generated if an attack is sent
149 ### after the email threshold has been reached for an IP address.
150 ### This is why the default is set to "0".
c47b1e2 @mrash added IGNORE_PROTOCOL
authored
151 EMAIL_LIMIT 0;
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
152
153 ### If "Y", send a status email message when an IP has reached the
72413d1 @mrash removed PSAD_ prefix for several config vars
authored
154 ### EMAIL_LIMIT threshold.
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
155 EMAIL_LIMIT_STATUS_MSG Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
156
4dd039a @mrash minor wording update
authored
157 ### If "Y", send email for all newly logged packets from the same
158 ### source ip instead of just when a danger level increases.
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
159 ALERT_ALL Y;
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
160
3247a20 @mrash added IMPORT_OLD_SCANS and PSAD_ICMP_TYPES_FILE
authored
161 ### If "Y", then psad will import old scan source ip directories
162 ### as current scans instead of moving the directories into the
163 ### archive directory.
164 IMPORT_OLD_SCANS N;
165
a7a1f7b @mrash Added several dshield related vars
authored
166 ### Send scan logs to dshield.org. This is disabled by default,
167 ### but is a good idea to enable it (subject to your site security
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
168 ### policy) since the DShield service helps to track the bad guys.
a7a1f7b @mrash Added several dshield related vars
authored
169 ### For more information visit http://www.dshield.org
fd67591 @mrash added DSHIELD vars
authored
170 ENABLE_DSHIELD_ALERTS N;
171
a7a1f7b @mrash Added several dshield related vars
authored
172 ### dshield.org alert email address; this should not be changed
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
173 ### unless the guys at DShield have changed it.
37e720c @mrash updated to correct dshield reporting address
authored
174 DSHIELD_ALERT_EMAIL reports@dshield.org;
a7a1f7b @mrash Added several dshield related vars
authored
175
176 ### Time interval (hours) to send email alerts to dshield.org.
37e720c @mrash updated to correct dshield reporting address
authored
177 ### The default is 6 hours, and cannot be less than 1 hour or
a7a1f7b @mrash Added several dshield related vars
authored
178 ### more than 24 hours.
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
179 DSHIELD_ALERT_INTERVAL 6; ### hours
a7a1f7b @mrash Added several dshield related vars
authored
180
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
181 ### If you have a DShield user id you can set it here. The
a7a1f7b @mrash Added several dshield related vars
authored
182 ### default is "0".
183 DSHIELD_USER_ID 0;
184
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
185 ### If you want the outbound DShield email to appear as though it
a7a1f7b @mrash Added several dshield related vars
authored
186 ### is coming from a particular user address then set it here.
187 DSHIELD_USER_EMAIL NONE;
188
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
189 ### Threshold danger level for DShield data; a scan must reach this
190 ### danger level before associated packets will be included in an
191 ### alert to DShield. Note that zero is the default since this
192 ### will allow DShield to apply its own logic to determine what
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
193 ### constitutes a scan (_all_ iptables log messages will be included
194 ### in DShield email alerts).
db1a03b @mrash added DSHIELD_DL_THRESHOLD, some documentation fixes
authored
195 DSHIELD_DL_THRESHOLD 0;
196
8931044 @mrash reworked variable names, changed auto block timeout to one hour
authored
197 ### If "Y", enable automated IDS response (auto manages
198 ### firewall rulesets).
199 ENABLE_AUTO_IDS N;
200
248c89c @mrash reordered auto-ids vars
authored
201 ### Block all traffic from offending IP if danger
202 ### level >= to this value
203 AUTO_IDS_DANGER_LEVEL 5;
204
205 ### Set the auto-blocked timeout in seconds (the default
206 ### is one hour).
207 AUTO_BLOCK_TIMEOUT 3600;
208
75f3496 @mrash minor comment fixes
authored
209 ### Enable iptables blocking (only gets enabled if
210 ### ENABLE_AUTO_IDS is also set)
1fd381b @mrash Added IPTABLES_BLOCK_METHOD and TCPWRAPPERS_BLOCK_METHOD
authored
211 IPTABLES_BLOCK_METHOD Y;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
212
755b83b @mrash added rule number vars for auto blocking rules
authored
213 ### Specify the position or rule number within the iptables
214 ### policy where auto block rules get added.
215 IPTABLES_AUTO_RULENUM 1;
216
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in ps...
authored
217 ### Specify chain names to which iptables blocking rules will be
744d59b @mrash updated to IPT_AUTO_CHAIN{n} keyword names (non-multiline)
authored
218 ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
219 ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
220 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in ps...
authored
221 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<To_chain>.
222 ### "Target": can be any legitimate Netfilter target, but should usually
223 ### "DROP".
224 ### "Direction": can be "src", "dst", or "both", which correspond to
225 ### INPUT, OUTPUT, and FORWARD chains.
226 ### "Table": can be any Netfilter table, but the default is "filter".
227 ### "From_chain": is the chain from which packets will be jumped.
228 ### "To_chain": is the chain to which packet will be jumped.
229 ###
230 ### The following defaults make sense for most installations, but note
231 ### it is possible to include blocking rules in, say, the nat table
232 ### using this functionality as well.
744d59b @mrash updated to IPT_AUTO_CHAIN{n} keyword names (non-multiline)
authored
233 #IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, PSAD_BLOCK_INPUT;
234 #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, PSAD_BLOCK_OUTPUT;
235 #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, PSAD_BLOCK_FORWARD;
236 IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, PSAD_BLOCK_INPUT;
237 IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, PSAD_BLOCK_OUTPUT;
238 IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, PSAD_BLOCK_FORWARD;
49edbf5 @mrash added IPT_AUTO_CHAIN keyword (this is the first multi-line keyword in ps...
authored
239
3c50eb3 @mrash Updated to automatically flush the psad auto-reponse Netfilter chains at...
authored
240 ### Flush all existing rules in the psad chains at psad start time.
241 FLUSH_IPT_AT_INIT Y;
242
ad3a991 @mrash minor wording update
authored
243 ### Enable tcp wrappers blocking (only gets enabled if
244 ### ENABLE_AUTO_IDS is also set)
2380d8a @mrash changed TCPWRAPPERS_BLOCK_METHOD to N
authored
245 TCPWRAPPERS_BLOCK_METHOD N;
39fe310 @mrash added blank lines to make psad.conf more readable
authored
246
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
247 ### Set the whois timeout
39fe310 @mrash added blank lines to make psad.conf more readable
authored
248 WHOIS_TIMEOUT 60; ### seconds
249
94dd297 @mrash Added whois lookups that build whois.tx_<ip>
authored
250 ### Set the number of times an ip can be seen before another whois
2317bb1 @mrash minor fix
authored
251 ### lookup is issued.
200d2ab @mrash added DNS_LOOKUP_THRESHOLD
authored
252 WHOIS_LOOKUP_THRESHOLD 20;
3d3b93f @mrash Added ARCHIVE_FILES, PSAD_FIFO, and ALERT_AUTO_BLOCKED
authored
253
8e0eda6 @mrash added EMAIL_LIMIT_STATUS_MSG, updated PSAD_EMAIL_LIMIT to default to 0
authored
254 ### Set the number of times an ip can be seen before another dns
255 ### lookup is issued.
256 DNS_LOOKUP_THRESHOLD 20;
257
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
258 ### Enable psad to run an external script or program (use at your
259 ### own risk!)
ae44493 @mrash updated to defined_vars()
authored
260 ENABLE_EXT_SCRIPT_EXEC N;
e74b67f @mrash added variables for external script execution
authored
261
262 ### Define an external program to run after a scan is caught.
263 ### Note that the scan source ip can be specified on the command
264 ### line to the external program through the use of the "SRCIP"
265 ### string (along with some appropriate switch for the program).
266 ### Of course this is only useful if the external program knows
267 ### what to do with this information.
268 ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
269 EXTERNAL_SCRIPT /bin/true;
270
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
271 ### Control execution of EXTERNAL_SCRIPT (only once per IP, or
e74b67f @mrash added variables for external script execution
authored
272 ### every time a scan is detected for an ip).
273 EXEC_EXT_SCRIPT_PER_ALERT N;
274
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
275 ### Disk usage variables
276 DISK_CHECK_INTERVAL 300; ### seconds
d6252f3 @mrash added more explanation text for DISK variables
authored
277
278 ### This can be set to 0 to disable disk checking altogether
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
279 DISK_MAX_PERCENTAGE 95;
d6252f3 @mrash added more explanation text for DISK variables
authored
280
281 ### This can be set to 0 to have psad not place any limit on the
282 ### number of times it will attempt to remove data from
283 ### /var/log/psad/.
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
284 DISK_MAX_RM_RETRIES 10;
285
8a19abb @mrash added ENABLE_SCAN_ARCHIVE
authored
286 ### Enable archiving of old scan directories at psad startup.
287 ENABLE_SCAN_ARCHIVE N;
288
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP sig...
authored
289 ### Truncate fwdata file at startup
88096fa @mrash updated to truncate fwdata file by default
authored
290 TRUNCATE_FWDATA Y;
46f8c96 @mrash added the ability to truncate fwdata file, bugfix with receiving HUP sig...
authored
291
e81372e @mrash added MIN_ARCHIVE_DANGER_LEVEL
authored
292 ### Only archive scanning ip directories that have reached a danger
293 ### level greater than or equal to this value. Archiving old
294 ### scanning ip directories only takes place at psad startup.
295 MIN_ARCHIVE_DANGER_LEVEL 1;
296
2c6a620 @mrash added the ability to customize email prefixes
authored
297 ### Email subject line config. Change these prefixes if you want
298 ### psad to generate email alerts that say something other than
299 ### the following.
300 MAIL_ALERT_PREFIX [psad-alert];
301 MAIL_STATUS_PREFIX [psad-status];
302 MAIL_ERROR_PREFIX [psad-error];
303 MAIL_FATAL_PREFIX [psad-fatal];
304
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
305 ### Directories
306 PSAD_DIR /var/log/psad;
205280b @mrash better setup() code to ensure /var/run/psad and /var/run/lib dirs exist
authored
307 PSAD_RUN_DIR /var/run/psad;
308 PSAD_LIB_DIR /var/lib/psad;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
309 SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive;
72413d1 @mrash removed PSAD_ prefix for several config vars
authored
310 ERROR_DIR /var/log/psad/errs;
a13573f @mrash replace ANALYSIS_DIR with ANALYSIS_MODE_DIR
authored
311 ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
312 SNORT_RULES_DIR /etc/psad/snort_rules;
313
314 ### Files
315 FW_DATA_FILE /var/log/psad/fwdata;
5a80891 @mrash added ulogd data collection mode
authored
316 ULOG_DATA_FILE /var/log/psad/ulogd.log;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
317 FW_CHECK_FILE /var/log/psad/fw_check;
72413d1 @mrash removed PSAD_ prefix for several config vars
authored
318 PID_FILE /var/run/psad/psad.pid;
319 CMDLINE_FILE /var/run/psad/psad.cmd;
320 SIGS_FILE /etc/psad/signatures;
321 ICMP_TYPES_FILE /etc/psad/icmp_types;
322 AUTO_DL_FILE /etc/psad/auto_dl;
323 POSF_FILE /etc/psad/posf;
324 P0F_FILE /etc/psad/pf.os;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
325 PSAD_FIFO /var/lib/psad/psadfifo;
65cd36d @mrash added hosts.deny and syslog config file path vars
authored
326 ETC_HOSTS_DENY /etc/hosts.deny;
327 ETC_SYSLOG_CONF /etc/syslog.conf;
328 ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
42783f2 @mrash added support for metalog
authored
329 ETC_METALOG_CONF /etc/metalog/metalog.conf;
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
330
331 ### PID files
332 KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid;
333 PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid;
334
07f0ca4 @mrash removed support for ipchains
authored
335 ### List of ips that have been auto blocked by iptables
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
336 ### or tcpwrappers (the auto blocking feature is disabled by
337 ### default, see the psad man page and the ENABLE_AUTO_IDS
338 ### variable).
339 AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables;
340 AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr;
341
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-block-...
authored
342 ### File used internally by psad to add Netfilter blocking
343 ### rules to a running psad process
e09b3c0 @mrash updated path to auto_ipt.sock socket file
authored
344 AUTO_IPT_SOCK /var/run/psad/auto_ipt.sock;
d91a4f7 @mrash added AUTO_IPT_ADD_IP_FILE which gets used as an IP cache in --fw-block-...
authored
345
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
346 FW_ERROR_LOG /var/log/psad/errs/fwerrorlog;
347 PRINT_SCAN_HASH /var/log/psad/scan_hash;
348
06c4609 @mrash 1.4.3-pre5
authored
349 ### /proc interface for controlling ip forwarding
350 PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
351
92607d0 @mrash - Added DISK* variables for disk monitoring functions.
authored
352 ### Packet counters for tcp, udp, and icmp protocols
353 PACKET_COUNTER_FILE /var/log/psad/packet_ctr;
354
f67fca7 @mrash added Dshield stats summary in --status output
authored
355 ### Counter file for Dshield alerts
356 DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr;
357
85845f2 @mrash added IPT_PREFIX_COUNTER_FILE
authored
358 ### Counter file for iptables prefixes
359 IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr;
360
f338213 @mrash Added pid file paths
authored
361 ### system binaries
cbc0e1a @mrash added fwcheck_psad command
authored
362 shCmd /bin/sh;
363 iptablesCmd /sbin/iptables;
364 mknodCmd /bin/mknod;
365 psCmd /bin/ps;
366 mailCmd /bin/mail;
367 sendmailCmd /usr/sbin/sendmail;
368 ifconfigCmd /sbin/ifconfig;
369 syslogdCmd /sbin/syslogd;
882a1d1 @mrash added SYSLOG_DAEMON and syslog-ngCmd variables
authored
370 syslog-ngCmd /sbin/syslog-ng; ### only used if SYSLOG_DAEMON = syslog-ng
cbc0e1a @mrash added fwcheck_psad command
authored
371 killallCmd /usr/bin/killall;
372 netstatCmd /bin/netstat;
373 unameCmd /bin/uname;
374 whoisCmd /usr/bin/whois_psad;
375 dfCmd /bin/df;
376 fwcheck_psadCmd /usr/sbin/fwcheck_psad;
377 psadwatchdCmd /usr/sbin/psadwatchd;
378 kmsgsdCmd /usr/sbin/kmsgsd;
379 psadCmd /usr/sbin/psad;
Something went wrong with that request. Please try again.