Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

psad: Intrusion Detection and Log Analysis with iptables

Fetching latest commit…

Cannot retrieve the latest commit at this time

README
psad (Port Scan Attack Detector)
Version:  1.2
Author:   Michael Rash (mbr@cipherdyne.org)
Website:  http://www.cipherdyne.org

Thanks to: (see the CREDITS file).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DESCRIPTION:

    The Port Scan Attack Detector (psad) is a collection of three lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code (iptables in the 2.4.x kernels) to detect port scans
and other suspect traffic.  It features a set of highly configurable danger
thresholds (with sensible defaults provided), verbose alert messages that
include the source, destination, scanned port range, begin and end times,
tcp flags and corresponding nmap options (Linux 2.4.x kernels only), reverse
DNS info, email and syslog alerting, and automatic blocking of offending ip
addresses via dynamic configuration of iptables firewall rulesets.  In
addition, psad incorporates many of the tcp, udp, and icmp signatures included
in the Snort intrusion detection system (http://www.snort.org) to detect
highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend,
SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin,
xmas) which are easily leveraged against a machine via nmap.  psad can also
alert on snort signatures that are logged via fwsnort (which makes use of the
iptables string match module to detect application layer signatures).  See the
"--snort-sids" command line option.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
METHODOLOGY:

    All information psad analyzes is gathered from iptables log messages.
psad creates a named pipe (/var/lib/psad/psadfifo) and reconfigures syslog to
write kern.info messages to the pipe.  As log messages are generated by
iptables a separate daemon (called kmsgsd) reads any messages that match a
particular regular expression designed to catch dropped/rejected packets out
of the pipe and write them to a separate file (/var/log/psad/fwdata).  psad is
then responsible for reading messages as they are generated from this file and
applying the danger threshold and signature logic in order to determine
whether or not a port scan has taken place, send appropriate alert emails,
and (optionally) block offending ip addresses.  psad includes a signal
handler such that if a USR1 signal is received, psad will dump the contents
of the current scan hash data structure to /var/log/psad/scan_hash.$$ where
"$$" represents the pid of the running psad daemon.

    NOTE:  Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
in the iptables ruleset.  Usually the best way setup the firewall is with a
default "drop and log" rule at the end of the ruleset, and include rules above
this last rule that only allow traffic that should be allowed through.  Upon
execution, the psad daemon will attempt to ascertain whether or not such a
default deny rule exists, and will warn the administrator if it doesn't.  See
the FW_EXAMPLE_RULES file for example firewall rulesets that are compatible
with psad.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:

    (See the INSTALL file in the psad sources directory.)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLATFORMS:

    psad has been tested on RedHat 6.2 and 7.3 running kernels 2.2.14-5.0,
2.2.18, 2.4.0, 2.4.17, and 2.4.20, although it should work on any Linux system
that has a properly configured firewall.  The only program that specifically
depends on the RedHat architecture is psad-init, which specifically depends on
/etc/rc.d/init.d/functions.  For non-RedHat systems a more generic init
script is included called "psad-init.generic".  The psad init scripts are
mostly included as a nicety; psad can be run from the command line like any
other program.

Ipfilter support on *BSD boxes is coming soon.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
COPYRIGHT:

Copyright (C)1999,2000,2001 Michael Rash (mbr@cipherdyne.org)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

psad makes use of many of the tcp, udp, and icmp signatures available in
Snort (written by Marty Roesch, see http://www.snort.org).


$Id$
Something went wrong with that request. Please try again.