Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

60 lines (39 sloc) 1.827 kb
This file contains a sample psad alert, and many more examples can be found
here:
http://www.cipherdyne.org/psad/docs/
Here is an example of psad alert (version 2.0.2) for a scan for the
Microsoft VNC service against my Linux box (running kernel 2.6.18):
=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [2] (out of 5)
Scanned tcp ports: [5900: 1 packets]
tcp flags: [SYN: 1 packets, Nmap: -sT or -sS]
iptables chain: INPUT (prefix "DROP"), 1 packets
Source: 71.127.83.44
DNS: static-71-127-83-44.aubnin.fios.verizon.net
Destination: 71.127.x.x
Syslog hostname: minastirith
Current interval: Fri Dec 22 12:10:33 2006 (start)
Fri Dec 22 12:10:38 2006 (end)
Overall scan start: Thu Dec 21 20:37:49 2006
Total email alerts: 36
Complete tcp range: [1433-5900]
chain: interface: tcp: udp: icmp:
INPUT eth0 44 0 0
[+] tcp scan signatures:
"MISC VNC communication attempt"
dst port: 5900 (no server bound to local port)
flags: SYN
psad_id: 100202
chain: INPUT
packets: 1
classtype: attempted-admin
reference: (url) http://isc.sans.org/port_details.php?port=5900
reference: (url) http://secunia.com/advisories/20107
[+] Whois Information:
Verizon Internet Services Inc. VIS-71-96 (NET-71-96-0-0-1)
71.96.0.0 - 71.127.255.255
PORTAL MAGIC FTTP (NET-71-127-83-40-1)
71.127.83.40 - 71.127.83.47
# ARIN WHOIS database, last updated 2006-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=
Jump to Line
Something went wrong with that request. Please try again.