Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 47800 Details for
Bug 76966
program could of not start due to the bad config
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
A copy of the configuration file for psad-1.3.2
psad.conf (text/plain), 11.06 KB, created by
Alec Warner (RETIRED)
on 2005-01-06 16:53:59 UTC
(
hide
)
Description:
A copy of the configuration file for psad-1.3.2
Filename:
MIME Type:
Creator:
Alec Warner (RETIRED)
Created:
2005-01-06 16:53:59 UTC
Size:
11.06 KB
patch
obsolete
># >############################################################################## ># ># This is the configuration file for psad (the Port Scan Attack Detector). ># Normally this file gets installed at /etc/psad/psad.conf, but can be put ># anywhere in the filesystem and then the path can be specified on the ># command line argument "-c <file>" to psad. Note that there are also ># config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd ># respectively. There is also one additional config file "fw_search.conf" ># that is read by both psad and kmsgsd and defines the strategy psad uses to ># search through iptables log messages. The syntax of psad.conf (as welll ># as each of the other config files) is as follows: ># ># Each line has the form "<variable name> <value>;". Note the semi- ># colon after the <value>. All characters after the semicolon will be ># ignored to provide space for comments. ># >############################################################################## ># ># $Id: psad.conf,v 1.89 2004/06/19 23:06:00 mbr Exp $ ># > >### Supports multiple email addresses (as a comma separated >### list). >EMAIL_ADDRESSES root@localhost; > >### Machine hostname >HOSTNAME spider; > >### Specify the home network. This variable is used to identify >### traffic that matches snort rules in the iptables FORWARD chain. >### Traffic that is directed to, or originates from, the firewall >### itself (i.e. in the INPUT or OUTPUT chains respectively) is >### treated as traffic to or from the HOME_NET by default and hence >### even if the HOME_NET variable is not defined, psad will still >### be able to detect matching scans. A syslog and email warning >### message will be generated if this variable is not defined. >### Normally the network(s) specified here should match a directly >### network(s) on the local machine. Multiple networks are supported >### as a comma separated list. The network(s) should be specified >### in CIDR notation. The following two lines provide example >### definitions for the HOME_NET variable. NOTE: The HOME_NET >### variable is not used if there is only one network interface on >### the system (i.e. no traffic will be logged via iptables through >### the FORWARD chain). If there is only one network interface on >### the box, then just set this variable to "NOT_USED". > >### HOME_NET 192.168.10.4/24; >### HOME_NET 10.1.1.0/24, 192.168.10.4/24; >### HOME_NET NOT_USED; ### only one interface on box >HOME_NET _CHANGEME_; > >### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable >### is now located in the file /etc/psad/fw_search.conf. Edit this >### file to configure search strings for psad. The change was made so >### that a single file could be referenced by both psad and kmsgsd for >### search strings in iptables messages. > >### Danger levels. These represent the total number of >### packets required for a scan to reach each danger level. >### A scan may also reach a danger level if the scan trips >### a signature or if the scanning ip is listed in >### psad_auto_ips so a danger level is automatically >### assigned. >DANGER_LEVEL1 5; ### Number of packets. >DANGER_LEVEL2 15; >DANGER_LEVEL3 150; >DANGER_LEVEL4 1500; >DANGER_LEVEL5 10000; > >### Set the interval (in seconds) psad will use to sleep before >### checking for new iptables log messages >PSAD_CHECK_INTERVAL 5; > >### Search for snort "sid" values generated by fwsnort >### or snort2iptables >SNORT_SID_STR SID; > >### Set the minimum range of ports that must be scanned before >### psad will send an alert. The default is 1 so that at >### least two port must be scanned (p2-p1 >= 1). This can be set >### to 0 if you want psad to be extra paranoid, or 30000 if not. >PORT_RANGE_SCAN_THRESHOLD 1; > >### If "Y", means that scans will never timeout. This is useful >### for catching scans that take place over long periods of time >### where the attacker is trying to slip beneath the IDS thresholds. >ENABLE_PERSISTENCE Y; > >### This is used only if ENABLE_PERSISTENCE = "N"; >SCAN_TIMEOUT 3600; ### seconds > >### If "Y", means all signatures will be shown since >### the scan started instead of just the current ones. >SHOW_ALL_SIGNATURES N; > >### XXX: try to mitigate the affects of the iptables connection >### tracking bug by ignoring tcp packets that have the ack bit set. >### Read the "BUGS" section of the psad man page. Note that >### if a packet matches a snort SID (see SNORT_SID_STR variable) >### then psad will see it even if the ack bit is set. >IGNORE_CONNTRACK_BUG_PKTS Y; > >### Send email alert if danger level >= to this value. >EMAIL_ALERT_DANGER_LEVEL 1; > >### Send no more than this number of emails for a single >### scanning source ip. >PSAD_EMAIL_LIMIT 50; > >### If "Y", send email for all newly logged packets from the same >### source ip instead of just when a danger level increases. >ALERT_ALL Y; > >### If "Y", then psad will import old scan source ip directories >### as current scans instead of moving the directories into the >### archive directory. >IMPORT_OLD_SCANS N; > >### Send scan logs to dshield.org. This is disabled by default, >### but is a good idea to enable it (subject to your site security >### policy) since the DShield service helps to track the bad guys. >### For more information visit http://www.dshield.org >ENABLE_DSHIELD_ALERTS N; > >### dshield.org alert email address; this should not be changed >### unless the guys at DShield have changed it. >DSHIELD_ALERT_EMAIL reports@dshield.org; > >### Time interval (hours) to send email alerts to dshield.org. >### The default is 6 hours, and cannot be less than 1 hour or >### more than 24 hours. >DSHIELD_ALERT_INTERVAL 6; ### hours > >### If you have a DShield user id you can set it here. The >### default is "0". >DSHIELD_USER_ID 0; > >### If you want the outbound DShield email to appear as though it >### is coming from a particular user address then set it here. >DSHIELD_USER_EMAIL NONE; > >### Threshold danger level for DShield data; a scan must reach this >### danger level before associated packets will be included in an >### alert to DShield. Note that zero is the default since this >### will allow DShield to apply its own logic to determine what >### constitutes a scan (_all_ iptables messages will be included in >### DShield email alerts). >DSHIELD_DL_THRESHOLD 0; > >### If "Y", enable automated IDS response (auto manages >### firewall rulesets). >ENABLE_AUTO_IDS N; > >### Block all traffic from offending IP if danger >### level >= to this value >AUTO_IDS_DANGER_LEVEL 5; > >### Set the auto-blocked timeout in seconds (the default >### is one hour). >AUTO_BLOCK_TIMEOUT 3600; > >### Enable iptables blocking (only gets enabled if >### ENABLE_AUTO_IDS is also set) >IPTABLES_BLOCK_METHOD Y; > >### Specify the position or rule number within the iptables >### policy where auto block rules get added. >IPTABLES_AUTO_RULENUM 1; > >### Enable tcp wrappers blocking (only gets enabled if >### ENABLE_AUTO_IDS is also set) >TCPWRAPPERS_BLOCK_METHOD N; > >### Set the whois timeout >WHOIS_TIMEOUT 60; ### seconds > >### Set the number of times an ip can be seen before another dns >### lookup is issued. >DNS_LOOKUP_THRESHOLD 20; > >### Set the number of times an ip can be seen before another whois >### lookup is issued. >WHOIS_LOOKUP_THRESHOLD 20; > >### Enable psad to run an external script or program >ENABLE_EXT_SCRIPT_EXEC N; > >### Define an external program to run after a scan is caught. >### Note that the scan source ip can be specified on the command >### line to the external program through the use of the "SRCIP" >### string (along with some appropriate switch for the program). >### Of course this is only useful if the external program knows >### what to do with this information. >### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v; >EXTERNAL_SCRIPT /bin/true; > >### Control execution of EXTERNAL_SCRIPT (only once per ip, or >### every time a scan is detected for an ip). >EXEC_EXT_SCRIPT_PER_ALERT N; > >### Disk usage variables >DISK_CHECK_INTERVAL 300; ### seconds > >### This can be set to 0 to disable disk checking altogether >DISK_MAX_PERCENTAGE 95; > >### This can be set to 0 to have psad not place any limit on the >### number of times it will attempt to remove data from >### /var/log/psad/. >DISK_MAX_RM_RETRIES 10; > >### Only archive scanning ip directories that have reached a danger >### level greater than or equal to this value. Archiving old >### scanning ip directories only takes place at psad startup. >MIN_ARCHIVE_DANGER_LEVEL 1; > >### Directories >PSAD_DIR /var/log/psad; >SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive; >PSAD_ERROR_DIR /var/log/psad/errs; >ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis; >SNORT_RULES_DIR /etc/psad/snort_rules; > >### Files >FW_DATA_FILE /var/log/psad/fwdata; >FW_CHECK_FILE /var/log/psad/fw_check; >PSAD_PID_FILE /var/run/psad/psad.pid; >PSAD_CMDLINE_FILE /var/run/psad/psad.cmd; >PSAD_SIGS_FILE /etc/psad/signatures; >PSAD_ICMP_TYPES_FILE /etc/psad/icmp_types; >PSAD_AUTO_DL_FILE /etc/psad/auto_dl; >PSAD_POSF_FILE /etc/psad/posf; >PSAD_FIFO /var/lib/psad/psadfifo; >ETC_HOSTS_DENY /etc/hosts.deny; >ETC_SYSLOG_CONF /etc/syslog.conf; >ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; >ETC_METALOG_CONF /etc/metalog/metalog.conf; > >### PID files >KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid; >PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid; > >### List of ips that have been auto blocked by iptables >### or tcpwrappers (the auto blocking feature is disabled by >### default, see the psad man page and the ENABLE_AUTO_IDS >### variable). >AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables; >AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr; > >FW_ERROR_LOG /var/log/psad/errs/fwerrorlog; >PRINT_SCAN_HASH /var/log/psad/scan_hash; > >### /proc interface for controlling ip forwarding >PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; > >### Packet counters for tcp, udp, and icmp protocols >PACKET_COUNTER_FILE /var/log/psad/packet_ctr; > >### Counter file for Dshield alerts >DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr; > >### Counter file for iptables prefixes >IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr; > >### system binaries >shCmd /bin/sh; >iptablesCmd /sbin/iptables; >mknodCmd /bin/mknod; >psCmd /bin/ps; >mailCmd /bin/mail; >sendmailCmd /usr/sbin/sendmail; >ifconfigCmd /sbin/ifconfig; >syslogdCmd /sbin/syslogd; >killallCmd /usr/bin/killall; >netstatCmd /bin/netstat; >unameCmd /bin/uname; >whoisCmd /usr/bin/whois_psad; >dfCmd /bin/df; >fwcheck_psadCmd /usr/sbin/fwcheck_psad; >psadwatchdCmd /usr/sbin/psadwatchd; >kmsgsdCmd /usr/sbin/kmsgsd; >psadCmd /usr/sbin/psad;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 76966
:
47799
| 47800