bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
35b4f800880296e0811b5cd6d3362f99c390db91
zira-etc/psad/psad.conf
bms8197 e2954d55f4 Initial commit.
2021-05-24 22:18:33 +03:00

722 lines
32 KiB
Plaintext
Raw Blame History

#
##############################################################################
#
# This is the configuration file for psad (the Port Scan Attack Detector).
# Normally this file gets installed at /etc/psad/psad.conf, but can be put
# anywhere in the filesystem and then the path can be specified on the
# command line argument "-c <file>" to psad. All three psad daemons (psad,
# kmsgsd, and psadwatchd) reference this config file. Note that kmsgsd is
# generally deprecated since by default psad parses iptables log messages
# directly from the file where syslog writes them. Further, psadwatchd is
# not required if running on a Linux system that already has a process
# monitoring and restarting capability built-in such as provided by the
# upstart daemon.
#
# Each line has the form "<variable name> <value>;". Note the semi-
# colon after the <value>. All characters after the semicolon will be
# ignored to provide space for comments.
#
##############################################################################
#
### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES bogdan@898.ro;
### Machine hostname
HOSTNAME zira.898.ro;
### Specify the home and external networks. Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
HOME_NET 192.168.1.0/255.255.255.0;
EXTERNAL_NET any;
### The FW_SEARCH_ALL variable controls how psad will parse iptables
### messages. If it is set to "Y" then psad will parse all iptables
### messages for evidence of scan activity. If it is set to "N" then
### psad will only parse those iptables messages that contain logging
### prefixes specified by the FW_MSG_SEARCH variable below. Logging
### prefixes are set with the --log-prefix command line option to iptables.
### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
### iptables messages that are logged out of a specific iptables chain
### (multiple strings can be searched for, see the comment above the
### FW_MSG_SEARCH variable below) or a specific logging rule for example.
### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
### to parse all iptables messages.
FW_SEARCH_ALL N;
### The FW_MSG_SEARCH variable can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### "--log-prefix" option. For example, if your firewall uses the
### string "Audit" for packets that have been blocked, then you could
### set FW_MSG_SEARCH to "Audit"; The default string to search for is
### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
### specify this variable multiple times to have psad search for multiple
### strings. For example to have psad search for the strings "Audit" and
### "Reject", you would use the following two lines:
#FW_MSG_SEARCH Audit;
#FW_MSG_SEARCH REJECT;
FW_MSG_SEARCH Firewall;
### What type of interface configuration do you use? Set this variable to
### "iproute2" if you want to use the iproute2 type configuration.
### iproute2 does not use aliases for multi-homed interfaces and
### ifconfig does not show secondary addresses for multi-homed interfaces.
#IFCFGTYPE ifconfig;
IFCFGTYPE iproute2;
### Danger levels. These represent the total number of packets required for a
### scan to reach each danger level. A scan may also reach a danger level if
### the scan trips a signature or if the scanning ip is listed in auto_ips so a
### danger level is automatically assigned.
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
### For port sweep detection, assign danger levels based on the number of hosts
### that have been scanned by the same source. To disable this style of
### detection (not recommended) just set DL1_UNIQUE_HOSTS to zero. To detect
### sweeps across multiple IP's either the interface itself must have multiple
### addresses through something like channel bonding or when iptables logs from
### multiple systems are analyzed by psad on a centralized syslog server.
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
### Set the interval (in seconds) psad will use to sleep before
### checking for new iptables log messages
CHECK_INTERVAL 5;
### Search for snort "sid" values generated by fwsnort
### or snort2iptables
SNORT_SID_STR SID;
### Set the minimum range of ports that must be scanned before
### psad will send an alert except in the case of a port sweep - see the
### PORT_RANGE_SWEEP_THRESHOLD variable. The default is 1 so that at
### least two ports must be scanned (p2-p1 >= 1). This can be set
### to 0 if you want psad to be extra paranoid, or 30000 if not.
PORT_RANGE_SCAN_THRESHOLD 1;
PORT_RANGE_SWEEP_THRESHOLD 0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
### For IP protocol scan detection (nmap -sO). While it may be relatively
### common for a host to trigger on tcp, udp, and icmp, it is more unusual if
### a host triggers on, say, five different IP protocols
PROTOCOL_SCAN_THRESHOLD 5;
### If "Y", means that scans will never timeout. This is useful
### for catching scans that take place over long periods of time
### where the attacker is trying to slip beneath the IDS thresholds.
### This is disabled by default to limit the amount of memory psad
### consumes. Note that if this feature is enabled, the MAX_SCAN_IP_PAIRS
### variable can assist with limiting psad's memory consumption as well.
ENABLE_PERSISTENCE N;
### This is used only if ENABLE_PERSISTENCE = "N";
SCAN_TIMEOUT 3600; ### seconds
### Specify how often to timeout old scan data relative to CHECK_INTERVAL
### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled.
### Note that for psad processes that have tracked a lot of scans, it is
### advisable to leave this threshold at the default value of 5 or greater
### because the scan tracking hash may be quite large.
PERSISTENCE_CTR_THRESHOLD 5;
### Limit the number of src->dst IP pairs that psad will track. The default
### is zero (i.e. unlimited), but if psad is running on a system with limited
### memory, this can be handy to restrict psad's memory usage. It is best to
### combine this option with disabling ENABLE_PERSISTENCE so that older scans
### are deleted and therefore newer scans will on average continue to be
### tracked. A good non-zero value is, say, 50000, but this will vary
### depending on available system memory.
MAX_SCAN_IP_PAIRS 0;
### If "Y", means all signatures will be shown since
### the scan started instead of just the current ones.
SHOW_ALL_SIGNATURES N;
### Allow reporting methods to be enabled/restricted. This keyword can
### accept values of "nosyslog" (don't write any messages to syslog),
### "noemail" (don't send any email messages), or "ALL" (to generate both
### syslog and email messages). "ALL" is the default. Both "nosyslog"
### and "noemail" can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS ALL;
### By default, psad checks for journalctl on systems where systemd is
### installed. If journalctl is running, then psad will automatically acquire
### syslog data from journalctl instead of parsing a file in the /var/log/
### directory.
AUTO_DETECT_JOURNALCTL Y;
### The following vars have psad acquire iptables log data from the
### /var/log/messages file which the local syslog daemon (usually) writes
### iptables log messages to. If the ENABLE_SYSLOG_FILE variable below is set
### to "N", then psad reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad. On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended. However, if psad is running on a system where systemd
### is installed and syslog messages are accessed via journalctl instead of
### being written to the filesystem, then the ENABLE_FW_MSG_READ_CMD
### functionality should be used to take over (see below).
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
### variable accepts four possible values: syslogd, syslog-ng, ulogd,
### or metalog. Note: this variable is only used if ENABLE_SYSLOG_FILE is
### disabled, and this in turn will mean that the legacy kmsgsd daemon will
### collect firewall logs from syslog via the old named pipe mechanism.
SYSLOG_DAEMON syslogd;
### This is primarily used to acquire syslog messages from journalctl on
### systems where systemd is running.
ENABLE_FW_MSG_READ_CMD Y;
FW_MSG_READ_CMD /bin/journalctl;
FW_MSG_READ_CMD_ARGS -f -k;
USE_FW_MSG_READ_CMD_ARGS Y;
FW_MSG_READ_MIN_PKTS 30;
### Control reputation feed settings (note there are some additional path
### settings in the 'Directories' section too).
ENABLE_REPUTATION_FEEDS Y;
### May include multiple REPUTATION_FEED variables to handle many feeds. Note
### in the format specifics below, "danger level" must be in the range 1-5,
### "data type" may be "IP" (with other types coming in the future, "data
### format" may be "newline" or "CSV", the "udpate interval" is in minutes (set
### to zero to not update), the "enable diffs" field controls whether to send
### diff emails upon feed updates, the "local file" is the file name in the
### REPUTATION_FEEDS_DIR, and the "update CMD" is command to execute in order
### to update to the feed data. Within the "update CMD", the $LOCAL_FILE
### variable is derived from the "local file name" value.
###
### <feed name>,<danger level>,<data type>,<data format>,<update interval>,<enable diffs>,<local file>,<update CMD>
REPUTATION_FEED "EmergingThreats Block IPs",4,IP,newline,1440,Y,ET-Block-IPs,"/usr/bin/curl -o $LOCAL_FILE https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt";
REPUTATION_FEED "EmergingThreats Compromised IPs",4,IP,newline,1440,Y,ET-Compromised-IPs,"/usr/bin/curl -o $LOCAL_FILE https://rules.emergingthreats.net/blockrules/compromised-ips.txt";
### IP security information URL - this is included in email alerts only.
### The IP_INFO variable takes the form <title>,<URL> and the $SRC variable
### in the URL will be substituted with the actual source IP for each
### detect scan.
ENABLE_IP_INFO_URL Y;
IP_INFO "Talos Intelligence",https://www.talosintelligence.com/reputation_center/lookup?search=$SRC;
### When enabled, this instructs psad to write the "msg" field
### associated with Snort rule matches to syslog.
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
### For systems with an init daemon like 'upstart' that offer built-in process
### monitoring, it is not necessary to run the psadwatchd daemon, and this is
### the default.
ENABLE_PSADWATCHD N;
### Expect that all logged TCP SYN packets include the options portion of the
### TCP header (requires the --log-tcp-options argument to the iptables LOG
### rule). If a SYN packet is received that does not include TCP options, then
### it may be created by a scanner such as Eratta Security's "masscan"). Note
### that psad still does a check to see if at least one log message is seen
### includes the OPT field before expecting the remaining messages to also
### include this field.
EXPECT_TCP_OPTIONS Y;
### TTL values are decremented depending on the number of hops
### the packet has taken before it hits the firewall. We will
### assume packets will not jump through more than 20 hops on
### average.
MAX_HOPS 20;
### Do not include any timestamp included within kernel logging
### messages (Ubuntu systems commonly have this)
IGNORE_KERNEL_TIMESTAMP Y;
### FIXME: try to mitigate the affects of the iptables connection
### tracking bug by ignoring tcp packets that have the ack bit set.
### Read the "BUGS" section of the psad man page. Note that
### if a packet matches a snort SID generated by fwsnort (see
### http://www.cipherdyne.org/fwsnort/)
### then psad will see it even if the ack bit is set. See the
### SNORT_SID_STR variable.
IGNORE_CONNTRACK_BUG_PKTS Y;
### define a set of ports to ignore (this is useful particularly
### for port knocking applications since the knock sequence will
### look to psad like a scan). This variable may be defined as
### a comma-separated list of port numbers or port ranges and
### corresponding protocol, For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
IGNORE_PORTS NONE;
### allow entire protocols to be ignored. This keyword can accept
### a comma separated list of protocols. Each protocol must match
### the protocol that is specified in an iptables log message (case
### insensitively, so both "TCP" or "tcp" is ok).
### IGNORE_PROTOCOL tcp,udp;
IGNORE_PROTOCOLS NONE;
### allow packets to be ignored based on interface (this is the
### "IN" interface in iptables logging messages).
IGNORE_INTERFACES NONE;
### Ignore these specific logging prefixes
IGNORE_LOG_PREFIXES NONE;
### Minimum danger level a scan must reach before any logging or
### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
### only refers to email alerts; the MIN_DANGER_LEVEL variable
### applies to everything from email alerts to whether or not the
### IP directory is created within /var/log/psad/. Hence
### MIN_DANGER_LEVEL should be set less than or equal to the value
### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
MIN_DANGER_LEVEL 1;
### Only send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL 1;
### Enable detection of malicious activity that is delivered via IPv6. If
### ip6tables is not logging any traffic, then psad won't know anything
### about IPv6, or this variable can be set to "N" (this would be slightly
### faster if ip6tables isn't logging anything).
ENABLE_IPV6_DETECTION Y;
### Treat all subnets on local interfaces as part of HOME_NET (this
### means that these networks do not have to be manually defined)
ENABLE_INTF_LOCAL_NETS Y;
### Include MAC addresses in email alert
ENABLE_MAC_ADDR_REPORTING N;
### Look for the iptables logging rule (fwcheck_psad is executed)
ENABLE_FW_LOGGING_CHECK Y;
### Send no more than this number of emails for a single
### scanning source IP. Note that enabling this feature may cause
### alerts for real attacks to not be generated if an attack is sent
### after the email threshold has been reached for an IP address.
### This is why the default is set to "0".
EMAIL_LIMIT 0;
### By default, psad maintains a counter for each scanning source address,
### but by enabling this variable psad will maintain email counters for
### each victim address that is scanned as well.
ENABLE_EMAIL_LIMIT_PER_DST N;
### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
### This variable is used to have psad throttle the email alerts it sends,
### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
### is set to "10", then psad will only send 1/10th as many emails for each
### scanning IP as it would have normally. All other variables also apply,
### so this throttle value is taken into account after everything else. The
### default of zero means to not apply any throttling.
EMAIL_THROTTLE 0;
### Append a header field to outgoing email alerts. This can allow the
### outgoing 'From' field to be customized for example:
### EMAIL_APPEND_HEADER From:you@somehost;
EMAIL_APPEND_HEADER NONE;
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### If "Y", then psad will import old scan source ip directories
### as current scans instead of moving the directories into the
### archive directory.
IMPORT_OLD_SCANS N;
### syslog facility and priority (the defaults are usually ok)
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
### Port thresholds for logging and -S and -A output.
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
### Signature thresholds for logging and -S and -A output.
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
### Attackers thresholds for logging and -S and -A output.
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
### Specify how often to log the TOP_* information (i.e. how many
### CHECK_INTERVAL iterations before the data is logged again).
TOP_SCANS_CTR_THRESHOLD 1;
### Override iptables automatic search and force a path to a firewall
### binary. If firewalld is used, then set this to the path to firewall-cmd
### and set FW_CMD_ARGS to '--direct --passthrough ipv4';
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
FW_CMD_ARGS NONE;
### Send scan logs to dshield.org. This is disabled by default,
### but is a good idea to enable it (subject to your site security
### policy) since the DShield service helps to track the bad guys.
### For more information visit http://www.dshield.org
ENABLE_DSHIELD_ALERTS Y;
### dshield.org alert email address; this should not be changed
### unless the guys at DShield have changed it.
DSHIELD_ALERT_EMAIL bogdan@898.ro;
### Time interval (hours) to send email alerts to dshield.org.
### The default is 6 hours, and cannot be less than 1 hour or
### more than 24 hours.
DSHIELD_ALERT_INTERVAL 6; ### hours
### If you have a DShield user id you can set it here. The
### default is "0".
DSHIELD_USER_ID 0;
### If you want the outbound DShield email to appear as though it
### is coming from a particular user address then set it here.
DSHIELD_USER_EMAIL NONE;
### Threshold danger level for DShield data; a scan must reach this
### danger level before associated packets will be included in an
### alert to DShield. Note that zero is the default since this
### will allow DShield to apply its own logic to determine what
### constitutes a scan (_all_ iptables log messages will be included
### in DShield email alerts).
DSHIELD_DL_THRESHOLD 0;
### List of servers. Fwsnort supports the same variable resolution as
#### Snort.
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
#### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
### Configurable port numbers
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
### If this is enabled, then psad will die if a rule in the
### /etc/psad/signatures file contains an unsupported option (otherwise
### a syslog warning will be generated).
ENABLE_SNORT_SIG_STRICT Y;
### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS N;
### Block all traffic from offending IP if danger
### level >= to this value
AUTO_IDS_DANGER_LEVEL 5;
### Set the auto-blocked timeout in seconds (the default is one hour).
### A value of 0 means block forever.
AUTO_BLOCK_TIMEOUT 3600;
### Set the auto-blocked timeout in seconds for each danger
### level - zero means to block permanently. Each of these
### can be set independently
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
### Enable regex checking on log prefixes for active response
ENABLE_AUTO_IDS_REGEX N;
### Only block if the iptables log message matches the following regex
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
### Control whether "renew" auto-block emails get sent. This is disabled
### by default because lots of IPs could have been blocked, and psad
### should not generate a renew email for each of them.
ENABLE_RENEW_BLOCK_EMAILS N;
### By setting this variable to N, all auto-blocking emails can be
### suppressed.
ENABLE_AUTO_IDS_EMAILS Y;
### Enable iptables blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
IPTABLES_BLOCK_METHOD Y;
### Specify chain names to which iptables blocking rules will be
### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
### to add an additional IPT_AUTO_CHAIN requirement. The format for this
### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
### <To_chain>,<Rule_position>.
### "Target": Can be any legitimate iptables target, but should usually
### just be "DROP".
### "Direction": Can be "src", "dst", or "both", which correspond to the
### INPUT, OUTPUT, and FORWARD chains.
### "Table": Can be any iptables table, but the default is "filter".
### "From_chain": Is the chain from which packets will be jumped.
### "Jump_rule_position": Defines the position within the From_chain where
### the jump rule is added.
### "To_chain": Is the chain to which packets will be jumped. This is the
### main chain where psad rules are added.
### "Rule_position": Defines the position where rule are added within the
### To_chain.
###
### The following defaults make sense for most installations, but note
### it is possible to include blocking rules in, say, the "nat" table
### using this functionality as well. The following three lines provide
### usage examples:
#IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
#IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
#IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
### Flush all existing rules in the psad chains at psad start time.
FLUSH_IPT_AT_INIT Y;
### Prerequisite check for existence of psad chains and jump rules
IPTABLES_PREREQ_CHECK 1;
### Enable tcp wrappers blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
TCPWRAPPERS_BLOCK_METHOD N;
### By default, enable whois lookups against scanning IP addresses.
ENABLE_WHOIS_LOOKUPS Y;
### Set the whois timeout
WHOIS_TIMEOUT 60; ### seconds
### Set the number of times an ip can be seen before another whois
### lookup is issued.
WHOIS_LOOKUP_THRESHOLD 20;
### Use this option to force all whois information to contain ascii-only data.
### Sometime whois information for IP addresses in China and other countries
### can contain non-ascii data. If this option is enabled, then any non-
### ascii characters will be replaced with "NA".
ENABLE_WHOIS_FORCE_ASCII N;
### This variable forces all whois lookups to be done against the source IP
### even when they are associated with a directly connected local network. IT
### is usually a good idea to leave this setting as the default of 'N'.
ENABLE_WHOIS_FORCE_SRC_IP N;
### By default, enable reverse DNS lookups against scanning IP addresses.
ENABLE_DNS_LOOKUPS Y;
### Set the number of times an ip can be seen before another dns
### lookup is issued.
DNS_LOOKUP_THRESHOLD 20;
### Enable psad to run an external script or program (use at your
### own risk!)
ENABLE_EXT_SCRIPT_EXEC N;
### Define an external program to run after a scan is caught.
### Note that the scan source ip can be specified on the command
### line to the external program through the use of the "SRCIP"
### string (along with some appropriate switch for the program).
### Of course this is only useful if the external program knows
### what to do with this information.
### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
EXTERNAL_SCRIPT /bin/true;
### Control execution of EXTERNAL_SCRIPT (only once per IP, or
### every time a scan is detected for an ip).
EXEC_EXT_SCRIPT_PER_ALERT N;
### Enable psad to run an external script or program upon setting
### iptables block (use at your own risk!)
ENABLE_EXT_BLOCK_SCRIPT_EXEC N;
### Define an external program to run after a scan is blocked.
### Note that the scan source ip can be specified on the command
### line to the external program through the use of the "SRCIP"
### string (along with some appropriate switch for the program).
### Of course this is only useful if the external program knows
### what to do with this information.
### Example: EXTERNAL_BLOCK_SCRIPT /path/to/script --ip SRCIP -v;
EXTERNAL_BLOCK_SCRIPT /bin/true;
### Some syslog daemons support a customized time stamp, so allow
### a user-specified regex to account for this when necessary (disabled
### by default). This regex should also extract the hostname from the
### syslog messages as well, so the timestamp and the hostname should be
### stored in $1 and $2 respectively. Here is an example syslog message
### and how to extract the timestamp and hostname:
### 2015-03-08T02:25:11.444012+02:00 servername kernel: ...
### ...would be handled properly with:
### ^\s*([\d\-]+T(?:\d{2}\:){2}\d{2}\S+)\s+(\S+)\s+kernel:
ENABLE_CUSTOM_SYSLOG_TS_RE N;
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
### Disk usage variables
DISK_CHECK_INTERVAL 300; ### seconds
### This can be set to 0 to disable disk checking altogether
DISK_MAX_PERCENTAGE 95;
### This can be set to 0 to have psad not place any limit on the
### number of times it will attempt to remove data from
### /var/log/psad/.
DISK_MAX_RM_RETRIES 10;
### Enable archiving of old scan directories at psad startup.
ENABLE_SCAN_ARCHIVE N;
### Truncate fwdata file at startup
TRUNCATE_FWDATA Y;
### Only archive scanning IP directories that have reached a danger
### level greater than or equal to this value. Archiving old
### scanning ip directories only takes place at psad startup.
MIN_ARCHIVE_DANGER_LEVEL 1;
### Email subject line config. Change these prefixes if you want
### psad to generate email alerts that say something other than
### the following.
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
### URL for getting the latest psad signatures
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
### These next two are psadwatchd vars
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
### Directories
INSTALL_ROOT /;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_TMP_DIR $PSAD_DIR/tmp;
REPUTATION_FEEDS_DIR $PSAD_CONF_DIR/reputation_feeds;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
### PID files
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
### List of ips that have been auto blocked by iptables
### or tcpwrappers (the auto blocking feature is disabled by
### default, see the psad man page and the ENABLE_AUTO_IDS
### variable).
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
### File used internally by psad to add iptables blocking
### rules to a running psad process
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
### /proc interface for controlling ip forwarding
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
### Packet counters for tcp, udp, and icmp protocols
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
### Top scanned ports
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
### Top signature matches
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
### Top attackers
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
### Counter file for Dshield alerts
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
### Counter file for iptables prefixes
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
### iptables command output and error collection files; these are
### used by IPTables::ChainMgr
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX;
IPT_ERROR_PATTERN psad_ipterr.XXXXXX;
### system binaries
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
pkillCmd /usr/bin/pkill;
ssCmd /sbin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;
Reference in New Issue View Git Blame Copy Permalink