removed FW_MSG_SEARCH var since it is now in fw_search.conf, removed …

…PSAD_LOG var git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1027 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
mrash · May 1, 2004 · 2187e5b · 2187e5b
1 parent 575af79
commit 2187e5b
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/psad.conf b/psad.conf
@@ -24,14 +24,7 @@ EMAIL_ADDRESSES             root@localhost;
 ### Machine hostname
 HOSTNAME                    _CHANGEME_;
 
-### The following two variables can be modified to look for logging
-### messages that are specific to your firewall configuration (specified
-### by the "--log-prefix" for iptables firewalls).  For example, if your
-### firewall uses the string "Audit" for packets that have been blocked,
-### then you could set FW_MSG_SEARCH = "Audit";
-FW_MSG_SEARCH               DROP;
-
-### Specify the home network.  This definition is used to identify
+### Specify the home network.  This variable is used to identify
 ### traffic that matches snort rules in the iptables FORWARD chain.
 ### Traffic that is directed to, or originates from, the firewall
 ### itself (i.e. in the INPUT or OUTPUT chains respectively) is
@@ -54,6 +47,12 @@ FW_MSG_SEARCH               DROP;
 ### HOME_NET                NOT_USED;  ### only one interface on box
 HOME_NET                    _CHANGEME_;
 
+### Firewall message search strings.  NOTE: the FW_MSG_SEARCH variable
+### is now located in the file /etc/psad/fw_search.conf.  Edit this
+### file to configure search strings for psad.  The change was made so
+### that a single file could be reference by both psad and kmsgsd for
+### search strings in iptables messages.
+
 ### Danger levels.  These represent the total number of
 ### packets required for a scan to reach each danger level.
 ### A scan may also reach a danger level if the scan trips
@@ -80,7 +79,9 @@ SNORT_SID_STR               SID;
 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
 PORT_RANGE_SCAN_THRESHOLD   1;
 
-### If "Y", means that scans will never timeout.
+### If "Y", means that scans will never timeout.  This is useful
+### for catching scans that take place over long periods of time
+### where the attacker is trying to slip beneath the IDS thresholds.
 ENABLE_PERSISTENCE          Y;
 
 ### This is used only if ENABLE_PERSISTENCE = "N";
@@ -218,7 +219,6 @@ PSAD_SIGS_FILE              /etc/psad/psad_signatures;
 PSAD_ICMP_TYPES_FILE        /etc/psad/psad_icmp_types;
 PSAD_AUTO_IPS_FILE          /etc/psad/psad_auto_ips;
 PSAD_POSF_FILE              /etc/psad/psad_posf;
-PSAD_LOG                    /var/log/psad/psad.log;
 PSAD_FIFO                   /var/lib/psad/psadfifo;
 ETC_HOSTS_DENY              /etc/hosts.deny;
 ETC_SYSLOG_CONF             /etc/syslog.conf;