/
ignore_intf.conf
188 lines (188 loc) · 7.67 KB
/
ignore_intf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
EMAIL_ADDRESSES root@localhost;
HOSTNAME _CHANGEME_;
HOME_NET any;
EXTERNAL_NET any;
FW_SEARCH_ALL Y;
FW_MSG_SEARCH DROP;
SYSLOG_DAEMON syslogd;
IFCFGTYPE ifconfig;
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
CHECK_INTERVAL 5;
SNORT_SID_STR SID;
ENABLE_PSADWATCHD Y;
PORT_RANGE_SCAN_THRESHOLD 1;
PROTOCOL_SCAN_THRESHOLD 5;
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT 3600; ### seconds
PERSISTENCE_CTR_THRESHOLD 5;
MAX_SCAN_IP_PAIRS 0;
SHOW_ALL_SIGNATURES N;
ALERTING_METHODS nomail;
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
IGNORE_PROTOCOLS NONE;
IGNORE_INTERFACES eth1, eth0.1;
IGNORE_LOG_PREFIXES NONE;
MIN_DANGER_LEVEL 1;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_IPV6_DETECTION Y;
ENABLE_INTF_LOCAL_NETS Y;
ENABLE_MAC_ADDR_REPORTING N;
ENABLE_FW_LOGGING_CHECK Y;
EMAIL_LIMIT 0;
ENABLE_EMAIL_LIMIT_PER_DST N;
EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_THROTTLE 0;
ALERT_ALL Y;
IMPORT_OLD_SCANS N;
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
ENABLE_DSHIELD_ALERTS N;
DSHIELD_ALERT_EMAIL reports@dshield.org;
DSHIELD_ALERT_INTERVAL 6; ### hours
DSHIELD_USER_ID 0;
DSHIELD_USER_EMAIL NONE;
DSHIELD_DL_THRESHOLD 0;
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
ENABLE_SNORT_SIG_STRICT Y;
ENABLE_AUTO_IDS N;
AUTO_IDS_DANGER_LEVEL 5;
AUTO_BLOCK_TIMEOUT 3600;
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS N;
ENABLE_AUTO_IDS_EMAILS Y;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;
TCPWRAPPERS_BLOCK_METHOD N;
WHOIS_TIMEOUT 60; ### seconds
WHOIS_LOOKUP_THRESHOLD 20;
ENABLE_WHOIS_FORCE_ASCII N;
ENABLE_WHOIS_FORCE_SRC_IP N;
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT N;
DISK_CHECK_INTERVAL 300; ### seconds
DISK_MAX_PERCENTAGE 95;
DISK_MAX_RM_RETRIES 10;
ENABLE_SCAN_ARCHIVE N;
TRUNCATE_FWDATA Y;
MIN_ARCHIVE_DANGER_LEVEL 1;
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
INSTALL_ROOT psad-install;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;