Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

finished removing ipchains stuff

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@886 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  • Loading branch information...
commit 303b03b8c4cc86573f847ed52d4704fa91fc1828 1 parent 07f0ca4
@mrash authored
View
6 BENCHMARK
@@ -1,7 +1,7 @@
Kmsgsd Benchmarks:
The basic strategy in benchmarking kmsgsd is to get syslogd to write kern.info
-messages (which include ipchains and iptables log messages) to the
+messages (which include iptables log messages) to the
/var/lib/psad/psadfifo named pipe. Kmsgsd will then read the messages out of the
pipe as quickly as possible and write them to /var/log/psad/fwdata. To
calculate how fast kmsgsd is we then compare the number of newly written
@@ -20,7 +20,7 @@ TEST 1:
- Ethernet: 100MB connection between the two machines.
- Perl: 5.005_03
- Scan command line: nmap -sX -p 5000-60000 <target_machine>
-- Approximate average number of iptables "DENY" messages printed to
+- Approximate average number of iptables "DROP" messages printed to
/var/log/messages: 4400
- Approximate average number of iptables messages caught by kmsgsd and
printed to /var/log/psad/fwdata: 4325
@@ -36,7 +36,7 @@ TEST 2:
- PIII 500mhz, 128 MB ram, kernel 2.4.0
- Perl 5.005_03
- Scan command line: nmap -sX -p 5000-60000 127.0.0.1
-- Number of iptables "DENY" messages printed to /var/log/messages: 14810
+- Number of iptables "DROP" messages printed to /var/log/messages: 14810
- Number of iptables messages caught by kmsgsd and written to
/var/log/psad/fwdata: 14847
View
4 ChangeLog
@@ -1,3 +1,7 @@
+psad-1.3 ():
+ - Added support for the iptables output chain.
+ - Removed support for ipchains.
+
psad-1.2.4 (10/15/2003):
- Added danger level to subject line in email alerts.
- Removed diskmond altogether since psad now handles disk space
View
42 INSTALL
@@ -7,31 +7,35 @@ Just run the psad installation script "install.pl":
# ./install.pl
Done. Enough said. :) This will result in a functional installation
-of psad on your system with the default configuration.
+of psad on your system. It is safe to run the install.pl script even
+if you already have psad installed on your system. The configuration
+can (optionally) be preserved from the previous installation.
For more information, read on:
IMPORTANT:
psad makes use of drop/deny/reject messages that are generated
-by ipchains or iptables, and appear in /var/log/messages. Hence if
-your firewall is not configured to drop/deny/reject packets (and log
-them), then psad will NOT detect port scans. Usually the best and most
-secure way to configure your firewall is to first put the minimal rules
-needed to allow only necessary traffic to and from your machine, and
-then have a default drop/deny/reject-and-log rule toward the end of the
-firewall ruleset. Some example firewall rulesets that are compatible
-with psad are contained within the file FW_EXAMPLES.
-
- The functionality of psad is affected by the version of the
-Linux kernel on which the software is deployed. For kernel versions
-2.2.x (and 2.0.x?) the built-in ipchains firewalling code does not have
-any capability to log or distinguish any tcp flags other than syn, or ack.
-Hence, most of the tcp signatures included in psad_signatures cannot be
-detected by psad running on these kernel versions. By contrast, the
-iptables firewalling code (see http://netfilter.gnumonks.org)
-integrated within the 2.4.x kernels can distinguish all tcp flags and
-hence make the signature logic possible within psad.
+by iptables, and appear in /var/log/messages. Hence if your firewall
+is not configured to drop/deny/reject packets (and log them), then psad
+will NOT detect port scans. Usually the best and most secure way to
+configure your firewall is to first put the minimal rules needed to
+allow only necessary traffic to and from your machine, and then have a
+default drop/deny/reject-and-log rule toward the end of the firewall
+ruleset. Some example firewall rulesets that are compatible with psad
+are contained within the file FW_EXAMPLES.
+
+ For psad versions less than 1.3, the functionality of psad is
+affected by the version of the Linux kernel on which the software is
+deployed. For kernel versions 2.2.x (and 2.0.x?) the built-in ipchains
+firewalling code does not have any capability to log or distinguish any
+tcp flags other than syn, or ack. Hence, most of the tcp signatures
+included in psad_signatures cannot be detected by psad running on these
+kernel versions. By contrast, the iptables firewalling code (see
+http://www.netfilter.org) integrated within the 2.4.x kernels can
+distinguish all tcp flags and hence make the signature logic possible
+within psad. NOTE: ipchains support has been removed from psad as of
+version 1.3.
A note on iptables: As of kernel version 2.4.13, there is a bug in the
connection tracking code that denies packets that are part of legitimate
View
68 README
@@ -8,52 +8,50 @@ Thanks to: (see the CREDITS file).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DESCRIPTION:
- The Port Scan Attack Detector (psad) is a collection of four lightweight
+ The Port Scan Attack Detector (psad) is a collection of three lightweight
system daemons written in Perl and in C that are designed to work with Linux
-firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x
-kernels) to detect port scans and other suspect traffic. It features a set of
-highly configurable danger thresholds (with sensible defaults provided),
-verbose alert messages that include the source, destination, scanned port
-range, begin and end times, tcp flags and corresponding nmap options (Linux
-2.4.x kernels only), reverse DNS info, email and syslog alerting, and
-automatic blocking of offending ip addresses via dynamic configuration of
-ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad
-incorporates many of the tcp, udp, and icmp signatures included in the Snort
-intrusion detection system (http://www.snort.org) to detect highly suspect
-scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven),
-DDoS tools (mstream, shaft), and advanced port scans (syn, fin, xmas) which
-are easily leveraged against a machine via nmap. psad can also alert on
-snort signatures that are logged via fwsnort (which makes use of the iptables
-string match module to detect application layer signatures). See the
+iptables firewalling code (iptables in the 2.4.x kernels) to detect port scans
+and other suspect traffic. It features a set of highly configurable danger
+thresholds (with sensible defaults provided), verbose alert messages that
+include the source, destination, scanned port range, begin and end times,
+tcp flags and corresponding nmap options (Linux 2.4.x kernels only), reverse
+DNS info, email and syslog alerting, and automatic blocking of offending ip
+addresses via dynamic configuration of iptables firewall rulesets. In
+addition, psad incorporates many of the tcp, udp, and icmp signatures included
+in the Snort intrusion detection system (http://www.snort.org) to detect
+highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend,
+SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin,
+xmas) which are easily leveraged against a machine via nmap. psad can also
+alert on snort signatures that are logged via fwsnort (which makes use of the
+iptables string match module to detect application layer signatures). See the
"--snort-sids" command line option.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
METHODOLOGY:
- All information psad analyzes is gathered from iptables/ipchains log
-messages. psad creates a named pipe (/var/lib/psad/psadfifo) and
-reconfigures syslog to write kern.info messages to the pipe. As log messages
-are generated by iptables or ipchains, a separate daemon (called kmsgsd) reads
-any messages that match a particular regular expression designed to catch
-dropped/rejected packets out of the pipe and write them to a separate file
-(/var/log/psad/fwdata). psad is then responsible for reading messages as
-they are generated from this file and applying the danger threshold and
-signature logic in order to determine whether or not a port scan has taken
-place, send appropriate alerts to /var/log/psad/scanlog, send alert emails,
+ All information psad analyzes is gathered from iptables log messages.
+psad creates a named pipe (/var/lib/psad/psadfifo) and reconfigures syslog to
+write kern.info messages to the pipe. As log messages are generated by
+iptables a separate daemon (called kmsgsd) reads any messages that match a
+particular regular expression designed to catch dropped/rejected packets out
+of the pipe and write them to a separate file (/var/log/psad/fwdata). psad is
+then responsible for reading messages as they are generated from this file and
+applying the danger threshold and signature logic in order to determine
+whether or not a port scan has taken place, send appropriate alert emails,
and (optionally) block offending ip addresses. psad includes a signal
handler such that if a USR1 signal is received, psad will dump the contents
of the current scan hash data structure to /var/log/psad/scan_hash.$$ where
"$$" represents the pid of the running psad daemon.
- NOTE: Since psad relies on iptables/ipchains to generate appropriate
-log messages for unauthorized packets, psad is only as good as the logging
-rules included in the iptables/ipchains ruleset. Usually the best way setup
-the firewall is with a default "deny and log" rule at the end of the ruleset,
-and include rules above this last rule that only allow traffic that should
-be allowed through. Upon execution, the psad daemon will attempt to
-ascertain whether or not such a default deny rule exists, and will warn the
-administrator if it doesn't. See the FW_EXAMPLE_RULES file for example
-firewall rulesets that are compatible with psad.
+ NOTE: Since psad relies on iptables to generate appropriate log messages
+for unauthorized packets, psad is only as good as the logging rules included
+in the iptables ruleset. Usually the best way setup the firewall is with a
+default "drop and log" rule at the end of the ruleset, and include rules above
+this last rule that only allow traffic that should be allowed through. Upon
+execution, the psad daemon will attempt to ascertain whether or not such a
+default deny rule exists, and will warn the administrator if it doesn't. See
+the FW_EXAMPLE_RULES file for example firewall rulesets that are compatible
+with psad.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:
View
2  install.pl
@@ -80,7 +80,6 @@
my $makeCmd = '/usr/bin/make';
my $killallCmd = '/usr/bin/killall';
my $perlCmd = '/usr/bin/perl';
-my $ipchainsCmd = '/sbin/ipchains';
my $iptablesCmd = '/sbin/iptables';
my $psadCmd = "${USRSBIN_DIR}/psad";
#============ end config ============
@@ -132,7 +131,6 @@
'make' => $makeCmd,
'killall' => $killallCmd,
'perl' => $perlCmd,
-# 'ipchains' => $ipchainsCmd,
'iptables' => $iptablesCmd,
);
View
2  kmsgsd.8
@@ -2,7 +2,7 @@
.TH KMSGSD 8 "November 2002" "Debian/GNU Linux"
.SH NAME
.B kmsgsd
-\- separates ipchains/iptables messages from all other kernel messages.
+\- separates iptables messages from all other kernel messages.
.SH SYNOPSIS
.B kmsgsd
.SH DESCRIPTION
View
2  kmsgsd.c
@@ -3,7 +3,7 @@
*
* File: kmsgsd.c
*
-* Purpose: kmsgsd separates ipchains/iptables messages from all other
+* Purpose: kmsgsd separates iptables messages from all other
* kernel messages.
*
* Strategy: read messages from the /var/log/psadfifo named pipe and
View
2  kmsgsd.pl
@@ -4,7 +4,7 @@
#
# File: kmsgsd
#
-# Purpose: kmsgsd separates ipchains/iptables messages from all other
+# Purpose: kmsgsd separates iptables messages from all other
# kernel messages.
#
# Strategy: read message from the /var/lib/psad/psadfifo named pipe and
View
37 psad.8
@@ -30,7 +30,7 @@
.B [--no-passive-os] [--no-snort-sids]
.SH DESCRIPTION
.B psad
-makes use of ipchains/iptables log messages to detect, alert, and
+makes use of iptables log messages to detect, alert, and
(optionally) block port scans in real time. psad configures syslog to
write all kern.info messages to a named pipe
.B /var/lib/psad/psadfifo
@@ -90,20 +90,17 @@ line with the --config option.
.BI \-s "\fR,\fP " \-\^\-signatures " signatures-file"
The iptables firewalling code included within the linux 2.4.x kernel
series has the ability to distinguish and log any of the tcp flags
-present within tcp packets that traverse the interfaces. Psad makes
-use of this logging capability to detect several types of tcp scan
+present within tcp packets that traverse the firewall interfaces. Psad
+makes use of this logging capability to detect several types of tcp scan
signatures included within
.B /etc/psad/psad_signatures.
The signatures were
originally included within the Snort intrusion detection
system. New signatures can be included and modifications to existing
signatures can be made to the signature file and psad will import
-the change automatically without having to restart the psad process.
-Unfortunately, tcp signature checking is not compatible with the
-ipchains firewalling code built into the 2.2.x kernel series due
-to the fact that ipchains cannot distinguish any tcp flags other
-than syn and ack. Psad also detects several udp and icmp signatures
-that were originally included within Snort.
+the changes upon receiving a USR1 signal (see the --USR1 command line
+option) without having to restart the psad process. Psad also detects
+many udp and icmp signatures that were originally included within Snort.
.TP
.BI \-\^\-snort-type " type"
@@ -476,8 +473,8 @@ EMAIL_ALERT_DANGER_LEVEL is set to 1 by default.
.BR ENABLE_AUTO_IDS
.B psad
has the capability of dynamically blocking all traffic from an ip that
-has reached a (configurable) danger level through modification of tcpwrapper,
-ipchains, or iptables rulesets.
+has reached a (configurable) danger level through modification of iptables
+or tcpwrapper rulesets.
.B IMPORTANT:
This feature is disabled by default since it is possible for an attacker
to spoof packets from a well known (web)site in an effort to make it
@@ -528,15 +525,14 @@ if speed of psad is the main concern:
.SH DEPENDENCIES
.B psad
-requires that ipchains/iptables is configured with a "drop/deny/reject
-and log" policy for any traffic that is not explicitly allowed through.
-This is consistent with a secure network configuration since all traffic
-that has not been explicitly allowed should be blocked by the firewall
-ruleset. By default, psad attempts to determine whether or not the
-firewall has been configured in this way. This feature can be disabled with
-the --no-fwcheck or --log-server options. The --log-server option
-is useful if psad is running on a syslog logging server that is separate
-from the firewall. For more information on compatible ipchains/iptables
+requires that iptables is configured with a "drop and log" policy for any
+traffic that is not explicitly allowed through. This is consistent with a
+secure network configuration since all traffic that has not been explicitly
+allowed should be blocked by the firewall ruleset. By default, psad attempts
+to determine whether or not the firewall has been configured in this way. This
+feature can be disabled with the --no-fwcheck or --log-server options. The
+--log-server option is useful if psad is running on a syslog logging server
+that is separate from the firewall. For more information on compatible iptables
rulesets, see the
.B FW_EXAMPLE_RULES
file that is bundled with the psad source distribution.
@@ -566,7 +562,6 @@ represents the pid of the psad process.
.SH "SEE ALSO"
.BR iptables (8),
-.BR ipchains (8),
.BR kmsgsd (8),
.BR psadwatchd (8),
.BR snort (8),
Please sign in to comment.
Something went wrong with that request. Please try again.