# ############################################################################## # # This is the configuration file for psad (the Port Scan Attack Detector). # Normally this file gets installed at /etc/psad/psad.conf, but can be put # anywhere in the filesystem and then the path can be specified on the # command line argument "-c " to psad. Note that there are also # config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd # respectively. There is also one additional config file "fw_search.conf" # that is read by both psad and kmsgsd and defines the strategy psad uses to # search through iptables log messages. The syntax of psad.conf (as welll # as each of the other config files) is as follows: # # Each line has the form " ;". Note the semi- # colon after the . All characters after the semicolon will be # ignored to provide space for comments. # ############################################################################## # # $Id: psad.conf,v 1.89 2004/06/19 23:06:00 mbr Exp $ # ### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME spider; ### Specify the home network. This variable is used to identify ### traffic that matches snort rules in the iptables FORWARD chain. ### Traffic that is directed to, or originates from, the firewall ### itself (i.e. in the INPUT or OUTPUT chains respectively) is ### treated as traffic to or from the HOME_NET by default and hence ### even if the HOME_NET variable is not defined, psad will still ### be able to detect matching scans. A syslog and email warning ### message will be generated if this variable is not defined. ### Normally the network(s) specified here should match a directly ### network(s) on the local machine. Multiple networks are supported ### as a comma separated list. The network(s) should be specified ### in CIDR notation. The following two lines provide example ### definitions for the HOME_NET variable. NOTE: The HOME_NET ### variable is not used if there is only one network interface on ### the system (i.e. no traffic will be logged via iptables through ### the FORWARD chain). If there is only one network interface on ### the box, then just set this variable to "NOT_USED". ### HOME_NET 192.168.10.4/24; ### HOME_NET 10.1.1.0/24, 192.168.10.4/24; ### HOME_NET NOT_USED; ### only one interface on box HOME_NET _CHANGEME_; ### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable ### is now located in the file /etc/psad/fw_search.conf. Edit this ### file to configure search strings for psad. The change was made so ### that a single file could be referenced by both psad and kmsgsd for ### search strings in iptables messages. ### Danger levels. These represent the total number of ### packets required for a scan to reach each danger level. ### A scan may also reach a danger level if the scan trips ### a signature or if the scanning ip is listed in ### psad_auto_ips so a danger level is automatically ### assigned. DANGER_LEVEL1 5; ### Number of packets. DANGER_LEVEL2 15; DANGER_LEVEL3 150; DANGER_LEVEL4 1500; DANGER_LEVEL5 10000; ### Set the interval (in seconds) psad will use to sleep before ### checking for new iptables log messages PSAD_CHECK_INTERVAL 5; ### Search for snort "sid" values generated by fwsnort ### or snort2iptables SNORT_SID_STR SID; ### Set the minimum range of ports that must be scanned before ### psad will send an alert. The default is 1 so that at ### least two port must be scanned (p2-p1 >= 1). This can be set ### to 0 if you want psad to be extra paranoid, or 30000 if not. PORT_RANGE_SCAN_THRESHOLD 1; ### If "Y", means that scans will never timeout. This is useful ### for catching scans that take place over long periods of time ### where the attacker is trying to slip beneath the IDS thresholds. ENABLE_PERSISTENCE Y; ### This is used only if ENABLE_PERSISTENCE = "N"; SCAN_TIMEOUT 3600; ### seconds ### If "Y", means all signatures will be shown since ### the scan started instead of just the current ones. SHOW_ALL_SIGNATURES N; ### XXX: try to mitigate the affects of the iptables connection ### tracking bug by ignoring tcp packets that have the ack bit set. ### Read the "BUGS" section of the psad man page. Note that ### if a packet matches a snort SID (see SNORT_SID_STR variable) ### then psad will see it even if the ack bit is set. IGNORE_CONNTRACK_BUG_PKTS Y; ### Send email alert if danger level >= to this value. EMAIL_ALERT_DANGER_LEVEL 1; ### Send no more than this number of emails for a single ### scanning source ip. PSAD_EMAIL_LIMIT 50; ### If "Y", send email for all newly logged packets from the same ### source ip instead of just when a danger level increases. ALERT_ALL Y; ### If "Y", then psad will import old scan source ip directories ### as current scans instead of moving the directories into the ### archive directory. IMPORT_OLD_SCANS N; ### Send scan logs to dshield.org. This is disabled by default, ### but is a good idea to enable it (subject to your site security ### policy) since the DShield service helps to track the bad guys. ### For more information visit http://www.dshield.org ENABLE_DSHIELD_ALERTS N; ### dshield.org alert email address; this should not be changed ### unless the guys at DShield have changed it. DSHIELD_ALERT_EMAIL reports@dshield.org; ### Time interval (hours) to send email alerts to dshield.org. ### The default is 6 hours, and cannot be less than 1 hour or ### more than 24 hours. DSHIELD_ALERT_INTERVAL 6; ### hours ### If you have a DShield user id you can set it here. The ### default is "0". DSHIELD_USER_ID 0; ### If you want the outbound DShield email to appear as though it ### is coming from a particular user address then set it here. DSHIELD_USER_EMAIL NONE; ### Threshold danger level for DShield data; a scan must reach this ### danger level before associated packets will be included in an ### alert to DShield. Note that zero is the default since this ### will allow DShield to apply its own logic to determine what ### constitutes a scan (_all_ iptables messages will be included in ### DShield email alerts). DSHIELD_DL_THRESHOLD 0; ### If "Y", enable automated IDS response (auto manages ### firewall rulesets). ENABLE_AUTO_IDS N; ### Block all traffic from offending IP if danger ### level >= to this value AUTO_IDS_DANGER_LEVEL 5; ### Set the auto-blocked timeout in seconds (the default ### is one hour). AUTO_BLOCK_TIMEOUT 3600; ### Enable iptables blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) IPTABLES_BLOCK_METHOD Y; ### Specify the position or rule number within the iptables ### policy where auto block rules get added. IPTABLES_AUTO_RULENUM 1; ### Enable tcp wrappers blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) TCPWRAPPERS_BLOCK_METHOD N; ### Set the whois timeout WHOIS_TIMEOUT 60; ### seconds ### Set the number of times an ip can be seen before another dns ### lookup is issued. DNS_LOOKUP_THRESHOLD 20; ### Set the number of times an ip can be seen before another whois ### lookup is issued. WHOIS_LOOKUP_THRESHOLD 20; ### Enable psad to run an external script or program ENABLE_EXT_SCRIPT_EXEC N; ### Define an external program to run after a scan is caught. ### Note that the scan source ip can be specified on the command ### line to the external program through the use of the "SRCIP" ### string (along with some appropriate switch for the program). ### Of course this is only useful if the external program knows ### what to do with this information. ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v; EXTERNAL_SCRIPT /bin/true; ### Control execution of EXTERNAL_SCRIPT (only once per ip, or ### every time a scan is detected for an ip). EXEC_EXT_SCRIPT_PER_ALERT N; ### Disk usage variables DISK_CHECK_INTERVAL 300; ### seconds ### This can be set to 0 to disable disk checking altogether DISK_MAX_PERCENTAGE 95; ### This can be set to 0 to have psad not place any limit on the ### number of times it will attempt to remove data from ### /var/log/psad/. DISK_MAX_RM_RETRIES 10; ### Only archive scanning ip directories that have reached a danger ### level greater than or equal to this value. Archiving old ### scanning ip directories only takes place at psad startup. MIN_ARCHIVE_DANGER_LEVEL 1; ### Directories PSAD_DIR /var/log/psad; SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive; PSAD_ERROR_DIR /var/log/psad/errs; ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis; SNORT_RULES_DIR /etc/psad/snort_rules; ### Files FW_DATA_FILE /var/log/psad/fwdata; FW_CHECK_FILE /var/log/psad/fw_check; PSAD_PID_FILE /var/run/psad/psad.pid; PSAD_CMDLINE_FILE /var/run/psad/psad.cmd; PSAD_SIGS_FILE /etc/psad/signatures; PSAD_ICMP_TYPES_FILE /etc/psad/icmp_types; PSAD_AUTO_DL_FILE /etc/psad/auto_dl; PSAD_POSF_FILE /etc/psad/posf; PSAD_FIFO /var/lib/psad/psadfifo; ETC_HOSTS_DENY /etc/hosts.deny; ETC_SYSLOG_CONF /etc/syslog.conf; ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; ETC_METALOG_CONF /etc/metalog/metalog.conf; ### PID files KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid; PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid; ### List of ips that have been auto blocked by iptables ### or tcpwrappers (the auto blocking feature is disabled by ### default, see the psad man page and the ENABLE_AUTO_IDS ### variable). AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables; AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr; FW_ERROR_LOG /var/log/psad/errs/fwerrorlog; PRINT_SCAN_HASH /var/log/psad/scan_hash; ### /proc interface for controlling ip forwarding PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; ### Packet counters for tcp, udp, and icmp protocols PACKET_COUNTER_FILE /var/log/psad/packet_ctr; ### Counter file for Dshield alerts DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr; ### Counter file for iptables prefixes IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr; ### system binaries shCmd /bin/sh; iptablesCmd /sbin/iptables; mknodCmd /bin/mknod; psCmd /bin/ps; mailCmd /bin/mail; sendmailCmd /usr/sbin/sendmail; ifconfigCmd /sbin/ifconfig; syslogdCmd /sbin/syslogd; killallCmd /usr/bin/killall; netstatCmd /bin/netstat; unameCmd /bin/uname; whoisCmd /usr/bin/whois_psad; dfCmd /bin/df; fwcheck_psadCmd /usr/sbin/fwcheck_psad; psadwatchdCmd /usr/sbin/psadwatchd; kmsgsdCmd /usr/sbin/kmsgsd; psadCmd /usr/sbin/psad;