Attachment 47800 Details for Bug 76966 – A copy of the configuration file for psad-1.3.2

A copy of the configuration file for psad-1.3.2

psad.conf (text/plain), 11.06 KB, created by Alec Warner (RETIRED) on 2005-01-06 16:53:59 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alec Warner (RETIRED)

Created: 2005-01-06 16:53:59 UTC

Size: 11.06 KB

patch

obsolete

>#
>##############################################################################
>#
>#  This is the configuration file for psad (the Port Scan Attack Detector).
>#  Normally this file gets installed at /etc/psad/psad.conf, but can be put
>#  anywhere in the filesystem and then the path can be specified on the
>#  command line argument "-c <file>" to psad.  Note that there are also
>#  config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd
>#  respectively.  There is also one additional config file "fw_search.conf"
>#  that is read by both psad and kmsgsd and defines the strategy psad uses to
>#  search through iptables log messages.  The syntax of psad.conf (as welll
>#  as each of the other config files) is as follows:
>#
>#  Each line has the form  "<variable name>    <value>;".  Note the semi-
>#  colon after the <value>.  All characters after the semicolon will be
>#  ignored to provide space for comments.
>#
>##############################################################################
>#
># $Id: psad.conf,v 1.89 2004/06/19 23:06:00 mbr Exp $
>#
>
>### Supports multiple email addresses (as a comma separated
>### list).
>EMAIL_ADDRESSES             root@localhost;
>
>### Machine hostname
>HOSTNAME                    spider;
>
>### Specify the home network.  This variable is used to identify
>### traffic that matches snort rules in the iptables FORWARD chain.
>### Traffic that is directed to, or originates from, the firewall
>### itself (i.e. in the INPUT or OUTPUT chains respectively) is
>### treated as traffic to or from the HOME_NET by default and hence
>### even if the HOME_NET variable is not defined, psad will still
>### be able to detect matching scans.  A syslog and email warning
>### message will be generated if this variable is not defined.
>### Normally the network(s) specified here should match a directly
>### network(s) on the local machine.  Multiple networks are supported
>### as a comma separated list.  The network(s) should be specified
>### in CIDR notation.  The following two lines provide example
>### definitions for the HOME_NET variable.  NOTE: The HOME_NET
>### variable is not used if there is only one network interface on
>### the system (i.e. no traffic will be logged via iptables through
>### the FORWARD chain).  If there is only one network interface on
>### the box, then just set this variable to "NOT_USED".
>
>### HOME_NET                192.168.10.4/24;
>### HOME_NET                10.1.1.0/24, 192.168.10.4/24;
>### HOME_NET                NOT_USED;  ### only one interface on box
>HOME_NET                    _CHANGEME_;
>
>### Firewall message search strings.  NOTE: the FW_MSG_SEARCH variable
>### is now located in the file /etc/psad/fw_search.conf.  Edit this
>### file to configure search strings for psad.  The change was made so
>### that a single file could be referenced by both psad and kmsgsd for
>### search strings in iptables messages.
>
>### Danger levels.  These represent the total number of
>### packets required for a scan to reach each danger level.
>### A scan may also reach a danger level if the scan trips
>### a signature or if the scanning ip is listed in
>### psad_auto_ips so a danger level is automatically
>### assigned.
>DANGER_LEVEL1               5;    ### Number of packets.
>DANGER_LEVEL2               15;
>DANGER_LEVEL3               150;
>DANGER_LEVEL4               1500;
>DANGER_LEVEL5               10000;
>
>### Set the interval (in seconds) psad will use to sleep before
>### checking for new iptables log messages
>PSAD_CHECK_INTERVAL         5;
>
>### Search for snort "sid" values generated by fwsnort
>### or snort2iptables
>SNORT_SID_STR               SID;
>
>### Set the minimum range of ports that must be scanned before
>### psad will send an alert.  The default is 1 so that at
>### least two port must be scanned (p2-p1 >= 1).  This can be set
>### to 0 if you want psad to be extra paranoid, or 30000 if not.
>PORT_RANGE_SCAN_THRESHOLD   1;
>
>### If "Y", means that scans will never timeout.  This is useful
>### for catching scans that take place over long periods of time
>### where the attacker is trying to slip beneath the IDS thresholds.
>ENABLE_PERSISTENCE          Y;
>
>### This is used only if ENABLE_PERSISTENCE = "N";
>SCAN_TIMEOUT                3600;  ### seconds
>
>### If "Y", means all signatures will be shown since
>### the scan started instead of just the current ones.
>SHOW_ALL_SIGNATURES         N;
>
>### XXX: try to mitigate the affects of the iptables connection
>### tracking bug by ignoring tcp packets that have the ack bit set.
>### Read the "BUGS" section of the psad man page.  Note that
>### if a packet matches a snort SID (see SNORT_SID_STR variable)
>### then psad will see it even if the ack bit is set.
>IGNORE_CONNTRACK_BUG_PKTS   Y;
>
>### Send email alert if danger level >= to this value.
>EMAIL_ALERT_DANGER_LEVEL    1;
>
>### Send no more than this number of emails for a single
>### scanning source ip.
>PSAD_EMAIL_LIMIT            50;
>
>### If "Y", send email for all newly logged packets from the same
>### source ip instead of just when a danger level increases.
>ALERT_ALL                   Y;
>
>### If "Y", then psad will import old scan source ip directories
>### as current scans instead of moving the directories into the
>### archive directory.
>IMPORT_OLD_SCANS            N;
>
>### Send scan logs to dshield.org.  This is disabled by default,
>### but is a good idea to enable it (subject to your site security
>### policy) since the DShield service helps to track the bad guys.
>### For more information visit http://www.dshield.org
>ENABLE_DSHIELD_ALERTS       N;
>
>### dshield.org alert email address; this should not be changed
>### unless the guys at DShield have changed it.
>DSHIELD_ALERT_EMAIL         reports@dshield.org;
>
>### Time interval (hours) to send email alerts to dshield.org.
>### The default is 6 hours, and cannot be less than 1 hour or
>### more than 24 hours.
>DSHIELD_ALERT_INTERVAL      6;  ### hours
>
>### If you have a DShield user id you can set it here.  The
>### default is "0".
>DSHIELD_USER_ID             0;
>
>### If you want the outbound DShield email to appear as though it
>### is coming from a particular user address then set it here.
>DSHIELD_USER_EMAIL          NONE;
>
>### Threshold danger level for DShield data; a scan must reach this
>### danger level before associated packets will be included in an
>### alert to DShield.  Note that zero is the default since this
>### will allow DShield to apply its own logic to determine what
>### constitutes a scan (_all_ iptables messages will be included in
>### DShield email alerts).
>DSHIELD_DL_THRESHOLD        0;
>
>### If "Y", enable automated IDS response (auto manages
>### firewall rulesets).
>ENABLE_AUTO_IDS             N;
>
>### Block all traffic from offending IP if danger
>### level >= to this value
>AUTO_IDS_DANGER_LEVEL       5;
>
>### Set the auto-blocked timeout in seconds (the default
>### is one hour).
>AUTO_BLOCK_TIMEOUT          3600;
>
>### Enable iptables blocking (only gets enabled if
>### ENABLE_AUTO_IDS is also set)
>IPTABLES_BLOCK_METHOD       Y;
>
>### Specify the position or rule number within the iptables
>### policy where auto block rules get added.
>IPTABLES_AUTO_RULENUM       1;
>
>### Enable tcp wrappers blocking (only gets enabled if
>### ENABLE_AUTO_IDS is also set)
>TCPWRAPPERS_BLOCK_METHOD    N;
>
>### Set the whois timeout
>WHOIS_TIMEOUT               60;  ### seconds
>
>### Set the number of times an ip can be seen before another dns
>### lookup is issued.
>DNS_LOOKUP_THRESHOLD        20;
>
>### Set the number of times an ip can be seen before another whois
>### lookup is issued.
>WHOIS_LOOKUP_THRESHOLD      20;
>
>### Enable psad to run an external script or program
>ENABLE_EXT_SCRIPT_EXEC      N;
>
>### Define an external program to run after a scan is caught.
>### Note that the scan source ip can be specified on the command
>### line to the external program through the use of the "SRCIP"
>### string (along with some appropriate switch for the program).
>### Of course this is only useful if the external program knows
>### what to do with this information.
>### Example:  EXTERNAL_SCRIPT       /path/to/script --ip SRCIP -v;
>EXTERNAL_SCRIPT             /bin/true;
>
>### Control execution of EXTERNAL_SCRIPT (only once per ip, or
>### every time a scan is detected for an ip).
>EXEC_EXT_SCRIPT_PER_ALERT   N;
>
>### Disk usage variables
>DISK_CHECK_INTERVAL         300;  ### seconds
>
>### This can be set to 0 to disable disk checking altogether
>DISK_MAX_PERCENTAGE         95;
>
>### This can be set to 0 to have psad not place any limit on the
>### number of times it will attempt to remove data from
>### /var/log/psad/.
>DISK_MAX_RM_RETRIES         10;
>
>### Only archive scanning ip directories that have reached a danger
>### level greater than or equal to this value.  Archiving old
>### scanning ip directories only takes place at psad startup.
>MIN_ARCHIVE_DANGER_LEVEL    1;
>
>### Directories
>PSAD_DIR                    /var/log/psad;
>SCAN_DATA_ARCHIVE_DIR       /var/log/psad/scan_archive;
>PSAD_ERROR_DIR              /var/log/psad/errs;
>ANALYSIS_MODE_DIR           /var/log/psad/ipt_analysis;
>SNORT_RULES_DIR             /etc/psad/snort_rules;
>
>### Files
>FW_DATA_FILE                /var/log/psad/fwdata;
>FW_CHECK_FILE               /var/log/psad/fw_check;
>PSAD_PID_FILE               /var/run/psad/psad.pid;
>PSAD_CMDLINE_FILE           /var/run/psad/psad.cmd;
>PSAD_SIGS_FILE              /etc/psad/signatures;
>PSAD_ICMP_TYPES_FILE        /etc/psad/icmp_types;
>PSAD_AUTO_DL_FILE           /etc/psad/auto_dl;
>PSAD_POSF_FILE              /etc/psad/posf;
>PSAD_FIFO                   /var/lib/psad/psadfifo;
>ETC_HOSTS_DENY              /etc/hosts.deny;
>ETC_SYSLOG_CONF             /etc/syslog.conf;
>ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
>ETC_METALOG_CONF            /etc/metalog/metalog.conf;
>
>### PID files
>KMSGSD_PID_FILE             /var/run/psad/kmsgsd.pid;
>PSADWATCHD_PID_FILE         /var/run/psad/psadwatchd.pid;
>
>### List of ips that have been auto blocked by iptables
>### or tcpwrappers (the auto blocking feature is disabled by
>### default, see the psad man page and the ENABLE_AUTO_IDS
>### variable).
>AUTO_BLOCK_IPT_FILE         /var/log/psad/auto_blocked_iptables;
>AUTO_BLOCK_TCPWR_FILE       /var/log/psad/auto_blocked_tcpwr;
>
>FW_ERROR_LOG                /var/log/psad/errs/fwerrorlog;
>PRINT_SCAN_HASH             /var/log/psad/scan_hash;
>
>### /proc interface for controlling ip forwarding
>PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
>
>### Packet counters for tcp, udp, and icmp protocols
>PACKET_COUNTER_FILE         /var/log/psad/packet_ctr;
>
>### Counter file for Dshield alerts
>DSHIELD_COUNTER_FILE        /var/log/psad/dshield_ctr;
>
>### Counter file for iptables prefixes
>IPT_PREFIX_COUNTER_FILE     /var/log/psad/ipt_prefix_ctr;
>
>### system binaries
>shCmd            /bin/sh;
>iptablesCmd      /sbin/iptables;
>mknodCmd         /bin/mknod;
>psCmd            /bin/ps;
>mailCmd          /bin/mail;
>sendmailCmd      /usr/sbin/sendmail;
>ifconfigCmd      /sbin/ifconfig;
>syslogdCmd       /sbin/syslogd;
>killallCmd       /usr/bin/killall;
>netstatCmd       /bin/netstat;
>unameCmd         /bin/uname;
>whoisCmd         /usr/bin/whois_psad;
>dfCmd            /bin/df;
>fwcheck_psadCmd  /usr/sbin/fwcheck_psad;
>psadwatchdCmd    /usr/sbin/psadwatchd;
>kmsgsdCmd        /usr/sbin/kmsgsd;
>psadCmd          /usr/sbin/psad;

Actions: View

Attachments on bug 76966: 47799 | 47800