Permalink
Browse files

updated to remove kmsgsd discussion since kmsgsd is basically depreca…

…ted at this point
  • Loading branch information...
1 parent c15b0e8 commit 79dc2eddaf99a571438a1e394d94e1f7b70c6101 @mrash committed Mar 16, 2012
Showing with 21 additions and 17 deletions.
  1. +21 −17 README
View
38 README
@@ -1,14 +1,14 @@
psad (Port Scan Attack Detector)
-Version: 1.4.1
+Version: 3.0
Author: Michael Rash (mbr@cipherdyne.org)
-Website: http://www.cipherdyne.org
+Website: http://www.cipherdyne.org/
Thanks to: (see the CREDITS file).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DESCRIPTION:
- The Port Scan Attack Detector (psad) is a collection of three lightweight
+ The Port Scan Attack Detector (psad) is a collection of two lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic. It
features a set of highly configurable danger thresholds (with sensible
@@ -30,26 +30,23 @@ application layer signatures.
CONFIGURATION INFORMATION:
Information on config keywords referenced by psad may be found both in the
-psad man(8) page, and also here:
+psad(8) man page, and also here:
http://www.cipherdyne.org/psad/docs/config.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
METHODOLOGY:
All information psad analyzes is gathered from iptables log messages.
-psad creates a named pipe (/var/lib/psad/psadfifo) and reconfigures syslog to
-write kern.info messages to the pipe. As log messages are generated by
-iptables, a separate daemon (called kmsgsd) reads any messages that match a
-particular regular expression designed to catch dropped/rejected packets out
-of the pipe and write them to a separate file (/var/log/psad/fwdata). psad is
-then responsible for reading messages as they are generated from this file and
-applying the danger threshold and signature logic in order to determine
-whether or not a port scan has taken place, send appropriate alert emails,
-and (optionally) block offending ip addresses. psad includes a signal
-handler such that if a USR1 signal is received, psad will dump the contents
-of the current scan hash data structure to /var/log/psad/scan_hash.$$ where
-"$$" represents the pid of the running psad daemon.
+psad by default reads the /var/log/messages file for new iptables messages and
+optionally writes them out to a dedicated file (/var/log/psad/fwdata).
+psad is then responsible for applying the danger threshold and signature logic
+in order to determine whether or not a port scan has taken place, send
+appropriate alert emails, and (optionally) block offending ip addresses. psad
+includes a signal handler such that if a USR1 signal is received, psad will
+dump the contents of the current scan hash data structure to
+/var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad
+daemon.
NOTE: Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
@@ -61,6 +58,13 @@ a default deny rule exists, and will warn the administrator if it doesn't.
See the FW_EXAMPLE_RULES file for example firewall rulesets that are
compatible with psad.
+Additionally, extensive coverage of psad is included in the book "Linux
+Firewalls: Attack Detection and Response" published by No Starch Press, and a
+supporting script in this book is compatible with psad. This script can be
+found here:
+
+http://www.cipherdyne.org/LinuxFirewalls/ch01/
+
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:
@@ -86,7 +90,7 @@ other program.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
COPYRIGHT:
-Copyright (C)1999-2006 Michael Rash (mbr@cipherdyne.org)
+Copyright (C) 1999-2012 Michael Rash (mbr@cipherdyne.org)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by

0 comments on commit 79dc2ed

Please sign in to comment.