-
Notifications
You must be signed in to change notification settings - Fork 76
/
psad.conf
721 lines (607 loc) · 31.8 KB
/
psad.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
#
##############################################################################
#
# This is the configuration file for psad (the Port Scan Attack Detector).
# Normally this file gets installed at /etc/psad/psad.conf, but can be put
# anywhere in the filesystem and then the path can be specified on the
# command line argument "-c <file>" to psad. All three psad daemons (psad,
# kmsgsd, and psadwatchd) reference this config file. Note that kmsgsd is
# generally deprecated since by default psad parses iptables log messages
# directly from the file where syslog writes them. Further, psadwatchd is
# not required if running on a Linux system that already has a process
# monitoring and restarting capability built-in such as provided by the
# upstart daemon.
#
# Each line has the form "<variable name> <value>;". Note the semi-
# colon after the <value>. All characters after the semicolon will be
# ignored to provide space for comments.
#
##############################################################################
#
### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES root@localhost;
### Machine hostname
HOSTNAME _CHANGEME_;
### Specify the home and external networks. Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
HOME_NET any;
EXTERNAL_NET any;
### The FW_SEARCH_ALL variable controls how psad will parse iptables
### messages. If it is set to "Y" then psad will parse all iptables
### messages for evidence of scan activity. If it is set to "N" then
### psad will only parse those iptables messages that contain logging
### prefixes specified by the FW_MSG_SEARCH variable below. Logging
### prefixes are set with the --log-prefix command line option to iptables.
### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
### iptables messages that are logged out of a specific iptables chain
### (multiple strings can be searched for, see the comment above the
### FW_MSG_SEARCH variable below) or a specific logging rule for example.
### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
### to parse all iptables messages.
FW_SEARCH_ALL Y;
### The FW_MSG_SEARCH variable can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### "--log-prefix" option. For example, if your firewall uses the
### string "Audit" for packets that have been blocked, then you could
### set FW_MSG_SEARCH to "Audit"; The default string to search for is
### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
### specify this variable multiple times to have psad search for multiple
### strings. For example to have psad search for the strings "Audit" and
### "Reject", you would use the following two lines:
#FW_MSG_SEARCH Audit;
#FW_MSG_SEARCH REJECT;
FW_MSG_SEARCH DROP;
### What type of interface configuration do you use? Set this variable to
### "iproute2" if you want to use the iproute2 type configuration.
### iproute2 does not use aliases for multi-homed interfaces and
### ifconfig does not show secondary addresses for multi-homed interfaces.
#IFCFGTYPE ifconfig;
IFCFGTYPE iproute2;
### Danger levels. These represent the total number of packets required for a
### scan to reach each danger level. A scan may also reach a danger level if
### the scan trips a signature or if the scanning ip is listed in auto_ips so a
### danger level is automatically assigned.
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
### For port sweep detection, assign danger levels based on the number of hosts
### that have been scanned by the same source. To disable this style of
### detection (not recommended) just set DL1_UNIQUE_HOSTS to zero. To detect
### sweeps across multiple IP's either the interface itself must have multiple
### addresses through something like channel bonding or when iptables logs from
### multiple systems are analyzed by psad on a centralized syslog server.
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
### Set the interval (in seconds) psad will use to sleep before
### checking for new iptables log messages
CHECK_INTERVAL 5;
### Search for snort "sid" values generated by fwsnort
### or snort2iptables
SNORT_SID_STR SID;
### Set the minimum range of ports that must be scanned before
### psad will send an alert except in the case of a port sweep - see the
### PORT_RANGE_SWEEP_THRESHOLD variable. The default is 1 so that at
### least two ports must be scanned (p2-p1 >= 1). This can be set
### to 0 if you want psad to be extra paranoid, or 30000 if not.
PORT_RANGE_SCAN_THRESHOLD 1;
PORT_RANGE_SWEEP_THRESHOLD 0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
### For IP protocol scan detection (nmap -sO). While it may be relatively
### common for a host to trigger on tcp, udp, and icmp, it is more unusual if
### a host triggers on, say, five different IP protocols
PROTOCOL_SCAN_THRESHOLD 5;
### If "Y", means that scans will never timeout. This is useful
### for catching scans that take place over long periods of time
### where the attacker is trying to slip beneath the IDS thresholds.
### This is disabled by default to limit the amount of memory psad
### consumes. Note that if this feature is enabled, the MAX_SCAN_IP_PAIRS
### variable can assist with limiting psad's memory consumption as well.
ENABLE_PERSISTENCE N;
### This is used only if ENABLE_PERSISTENCE = "N";
SCAN_TIMEOUT 3600; ### seconds
### Specify how often to timeout old scan data relative to CHECK_INTERVAL
### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled.
### Note that for psad processes that have tracked a lot of scans, it is
### advisable to leave this threshold at the default value of 5 or greater
### because the scan tracking hash may be quite large.
PERSISTENCE_CTR_THRESHOLD 5;
### Limit the number of src->dst IP pairs that psad will track. The default
### is zero (i.e. unlimited), but if psad is running on a system with limited
### memory, this can be handy to restrict psad's memory usage. It is best to
### combine this option with disabling ENABLE_PERSISTENCE so that older scans
### are deleted and therefore newer scans will on average continue to be
### tracked. A good non-zero value is, say, 50000, but this will vary
### depending on available system memory.
MAX_SCAN_IP_PAIRS 0;
### If "Y", means all signatures will be shown since
### the scan started instead of just the current ones.
SHOW_ALL_SIGNATURES N;
### Allow reporting methods to be enabled/restricted. This keyword can
### accept values of "nosyslog" (don't write any messages to syslog),
### "noemail" (don't send any email messages), or "ALL" (to generate both
### syslog and email messages). "ALL" is the default. Both "nosyslog"
### and "noemail" can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS ALL;
### By default, psad checks for journalctl on systems where systemd is
### installed. If journalctl is running, then psad will automatically acquire
### syslog data from journalctl instead of parsing a file in the /var/log/
### directory.
AUTO_DETECT_JOURNALCTL Y;
### The following vars have psad acquire iptables log data from the
### /var/log/messages file which the local syslog daemon (usually) writes
### iptables log messages to. If the ENABLE_SYSLOG_FILE variable below is set
### to "N", then psad reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad. On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended. However, if psad is running on a system where systemd
### is installed and syslog messages are accessed via journalctl instead of
### being written to the filesystem, then the ENABLE_FW_MSG_READ_CMD
### functionality should be used to take over (see below).
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
### variable accepts four possible values: syslogd, syslog-ng, ulogd,
### or metalog. Note: this variable is only used if ENABLE_SYSLOG_FILE is
### disabled, and this in turn will mean that the legacy kmsgsd daemon will
### collect firewall logs from syslog via the old named pipe mechanism.
SYSLOG_DAEMON syslogd;
### This is primarily used to acquire syslog messages from journalctl on
### systems where systemd is running.
ENABLE_FW_MSG_READ_CMD N;
FW_MSG_READ_CMD /bin/journalctl;
FW_MSG_READ_CMD_ARGS -f -k;
USE_FW_MSG_READ_CMD_ARGS Y;
FW_MSG_READ_MIN_PKTS 30;
### Control reputation feed settings (note there are some additional path
### settings in the 'Directories' section too).
ENABLE_REPUTATION_FEEDS Y;
### May include multiple REPUTATION_FEED variables to handle many feeds. Note
### in the format specifics below, "danger level" must be in the range 1-5,
### "data type" may be "IP" (with other types coming in the future, "data
### format" may be "newline" or "CSV", the "udpate interval" is in minutes (set
### to zero to not update), the "enable diffs" field controls whether to send
### diff emails upon feed updates, the "local file" is the file name in the
### REPUTATION_FEEDS_DIR, and the "update CMD" is command to execute in order
### to update to the feed data. Within the "update CMD", the $LOCAL_FILE
### variable is derived from the "local file name" value.
###
### <feed name>,<danger level>,<data type>,<data format>,<update interval>,<enable diffs>,<local file>,<update CMD>
REPUTATION_FEED "EmergingThreats Block IPs",4,IP,newline,1440,Y,ET-Block-IPs,"/usr/bin/curl -o $LOCAL_FILE https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt";
REPUTATION_FEED "EmergingThreats Compromised IPs",4,IP,newline,1440,Y,ET-Compromised-IPs,"/usr/bin/curl -o $LOCAL_FILE https://rules.emergingthreats.net/blockrules/compromised-ips.txt";
### IP security information URL - this is included in email alerts only.
### The IP_INFO variable takes the form <title>,<URL> and the $SRC variable
### in the URL will be substituted with the actual source IP for each
### detect scan.
ENABLE_IP_INFO_URL Y;
IP_INFO "Talos Intelligence",https://www.talosintelligence.com/reputation_center/lookup?search=$SRC;
### When enabled, this instructs psad to write the "msg" field
### associated with Snort rule matches to syslog.
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
### For systems with an init daemon like 'upstart' that offer built-in process
### monitoring, it is not necessary to run the psadwatchd daemon, and this is
### the default.
ENABLE_PSADWATCHD N;
### Expect that all logged TCP SYN packets include the options portion of the
### TCP header (requires the --log-tcp-options argument to the iptables LOG
### rule). If a SYN packet is received that does not include TCP options, then
### it may be created by a scanner such as Eratta Security's "masscan"). Note
### that psad still does a check to see if at least one log message is seen
### includes the OPT field before expecting the remaining messages to also
### include this field.
EXPECT_TCP_OPTIONS Y;
### TTL values are decremented depending on the number of hops
### the packet has taken before it hits the firewall. We will
### assume packets will not jump through more than 20 hops on
### average.
MAX_HOPS 20;
### Do not include any timestamp included within kernel logging
### messages (Ubuntu systems commonly have this)
IGNORE_KERNEL_TIMESTAMP Y;
### FIXME: try to mitigate the affects of the iptables connection
### tracking bug by ignoring tcp packets that have the ack bit set.
### Read the "BUGS" section of the psad man page. Note that
### if a packet matches a snort SID generated by fwsnort (see
### http://www.cipherdyne.org/fwsnort/)
### then psad will see it even if the ack bit is set. See the
### SNORT_SID_STR variable.
IGNORE_CONNTRACK_BUG_PKTS Y;
### define a set of ports to ignore (this is useful particularly
### for port knocking applications since the knock sequence will
### look to psad like a scan). This variable may be defined as
### a comma-separated list of port numbers or port ranges and
### corresponding protocol, For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
IGNORE_PORTS NONE;
### allow entire protocols to be ignored. This keyword can accept
### a comma separated list of protocols. Each protocol must match
### the protocol that is specified in an iptables log message (case
### insensitively, so both "TCP" or "tcp" is ok).
### IGNORE_PROTOCOL tcp,udp;
IGNORE_PROTOCOLS NONE;
### allow packets to be ignored based on interface (this is the
### "IN" interface in iptables logging messages).
IGNORE_INTERFACES NONE;
### Ignore these specific logging prefixes
IGNORE_LOG_PREFIXES NONE;
### Minimum danger level a scan must reach before any logging or
### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
### only refers to email alerts; the MIN_DANGER_LEVEL variable
### applies to everything from email alerts to whether or not the
### IP directory is created within /var/log/psad/. Hence
### MIN_DANGER_LEVEL should be set less than or equal to the value
### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
MIN_DANGER_LEVEL 1;
### Only send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL 1;
### Enable detection of malicious activity that is delivered via IPv6. If
### ip6tables is not logging any traffic, then psad won't know anything
### about IPv6, or this variable can be set to "N" (this would be slightly
### faster if ip6tables isn't logging anything).
ENABLE_IPV6_DETECTION Y;
### Treat all subnets on local interfaces as part of HOME_NET (this
### means that these networks do not have to be manually defined)
ENABLE_INTF_LOCAL_NETS Y;
### Include MAC addresses in email alert
ENABLE_MAC_ADDR_REPORTING N;
### Look for the iptables logging rule (fwcheck_psad is executed)
ENABLE_FW_LOGGING_CHECK Y;
### Send no more than this number of emails for a single
### scanning source IP. Note that enabling this feature may cause
### alerts for real attacks to not be generated if an attack is sent
### after the email threshold has been reached for an IP address.
### This is why the default is set to "0".
EMAIL_LIMIT 0;
### By default, psad maintains a counter for each scanning source address,
### but by enabling this variable psad will maintain email counters for
### each victim address that is scanned as well.
ENABLE_EMAIL_LIMIT_PER_DST N;
### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
### This variable is used to have psad throttle the email alerts it sends,
### and implemented as a per-IP threshold. That is, if EMAIL_THROTTLE
### is set to "10", then psad will only send 1/10th as many emails for each
### scanning IP as it would have normally. All other variables also apply,
### so this throttle value is taken into account after everything else. The
### default of zero means to not apply any throttling.
EMAIL_THROTTLE 0;
### Append a header field to outgoing email alerts. This can allow the
### outgoing 'From' field to be customized for example:
### EMAIL_APPEND_HEADER From:you@somehost;
EMAIL_APPEND_HEADER NONE;
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### If "Y", then psad will import old scan source ip directories
### as current scans instead of moving the directories into the
### archive directory.
IMPORT_OLD_SCANS N;
### syslog facility and priority (the defaults are usually ok)
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
### Port thresholds for logging and -S and -A output.
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
### Signature thresholds for logging and -S and -A output.
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
### Attackers thresholds for logging and -S and -A output.
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
### Specify how often to log the TOP_* information (i.e. how many
### CHECK_INTERVAL iterations before the data is logged again).
TOP_SCANS_CTR_THRESHOLD 1;
### Override iptables automatic search and force a path to a firewall
### binary. If firewalld is used, then set this to the path to firewall-cmd
### and set FW_CMD_ARGS to '--direct --passthrough ipv4';
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
FW_CMD_ARGS NONE;
### Send scan logs to dshield.org. This is disabled by default,
### but is a good idea to enable it (subject to your site security
### policy) since the DShield service helps to track the bad guys.
### For more information visit http://www.dshield.org
ENABLE_DSHIELD_ALERTS N;
### dshield.org alert email address; this should not be changed
### unless the guys at DShield have changed it.
DSHIELD_ALERT_EMAIL [email protected];
### Time interval (hours) to send email alerts to dshield.org.
### The default is 6 hours, and cannot be less than 1 hour or
### more than 24 hours.
DSHIELD_ALERT_INTERVAL 6; ### hours
### If you have a DShield user id you can set it here. The
### default is "0".
DSHIELD_USER_ID 0;
### If you want the outbound DShield email to appear as though it
### is coming from a particular user address then set it here.
DSHIELD_USER_EMAIL NONE;
### Threshold danger level for DShield data; a scan must reach this
### danger level before associated packets will be included in an
### alert to DShield. Note that zero is the default since this
### will allow DShield to apply its own logic to determine what
### constitutes a scan (_all_ iptables log messages will be included
### in DShield email alerts).
DSHIELD_DL_THRESHOLD 0;
### List of servers. Fwsnort supports the same variable resolution as
#### Snort.
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
#### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
### Configurable port numbers
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
### If this is enabled, then psad will die if a rule in the
### /etc/psad/signatures file contains an unsupported option (otherwise
### a syslog warning will be generated).
ENABLE_SNORT_SIG_STRICT Y;
### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS N;
### Block all traffic from offending IP if danger
### level >= to this value
AUTO_IDS_DANGER_LEVEL 5;
### Set the auto-blocked timeout in seconds (the default is one hour).
### A value of 0 means block forever.
AUTO_BLOCK_TIMEOUT 3600;
### Set the auto-blocked timeout in seconds for each danger
### level - zero means to block permanently. Each of these
### can be set independently
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
### Enable regex checking on log prefixes for active response
ENABLE_AUTO_IDS_REGEX N;
### Only block if the iptables log message matches the following regex
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
### Control whether "renew" auto-block emails get sent. This is disabled
### by default because lots of IPs could have been blocked, and psad
### should not generate a renew email for each of them.
ENABLE_RENEW_BLOCK_EMAILS N;
### By setting this variable to N, all auto-blocking emails can be
### suppressed.
ENABLE_AUTO_IDS_EMAILS Y;
### Enable iptables blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
IPTABLES_BLOCK_METHOD Y;
### Specify chain names to which iptables blocking rules will be
### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
### to add an additional IPT_AUTO_CHAIN requirement. The format for this
### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
### <To_chain>,<Rule_position>.
### "Target": Can be any legitimate iptables target, but should usually
### just be "DROP".
### "Direction": Can be "src", "dst", or "both", which correspond to the
### INPUT, OUTPUT, and FORWARD chains.
### "Table": Can be any iptables table, but the default is "filter".
### "From_chain": Is the chain from which packets will be jumped.
### "Jump_rule_position": Defines the position within the From_chain where
### the jump rule is added.
### "To_chain": Is the chain to which packets will be jumped. This is the
### main chain where psad rules are added.
### "Rule_position": Defines the position where rule are added within the
### To_chain.
###
### The following defaults make sense for most installations, but note
### it is possible to include blocking rules in, say, the "nat" table
### using this functionality as well. The following three lines provide
### usage examples:
#IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
#IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
#IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
### Flush all existing rules in the psad chains at psad start time.
FLUSH_IPT_AT_INIT Y;
### Prerequisite check for existence of psad chains and jump rules
IPTABLES_PREREQ_CHECK 1;
### Enable tcp wrappers blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
TCPWRAPPERS_BLOCK_METHOD N;
### By default, enable whois lookups against scanning IP addresses.
ENABLE_WHOIS_LOOKUPS Y;
### Set the whois timeout
WHOIS_TIMEOUT 60; ### seconds
### Set the number of times an ip can be seen before another whois
### lookup is issued.
WHOIS_LOOKUP_THRESHOLD 20;
### Use this option to force all whois information to contain ascii-only data.
### Sometime whois information for IP addresses in China and other countries
### can contain non-ascii data. If this option is enabled, then any non-
### ascii characters will be replaced with "NA".
ENABLE_WHOIS_FORCE_ASCII N;
### This variable forces all whois lookups to be done against the source IP
### even when they are associated with a directly connected local network. IT
### is usually a good idea to leave this setting as the default of 'N'.
ENABLE_WHOIS_FORCE_SRC_IP N;
### By default, enable reverse DNS lookups against scanning IP addresses.
ENABLE_DNS_LOOKUPS Y;
### Set the number of times an ip can be seen before another dns
### lookup is issued.
DNS_LOOKUP_THRESHOLD 20;
### Enable psad to run an external script or program (use at your
### own risk!)
ENABLE_EXT_SCRIPT_EXEC N;
### Define an external program to run after a scan is caught.
### Note that the scan source ip can be specified on the command
### line to the external program through the use of the "SRCIP"
### string (along with some appropriate switch for the program).
### Of course this is only useful if the external program knows
### what to do with this information.
### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
EXTERNAL_SCRIPT /bin/true;
### Control execution of EXTERNAL_SCRIPT (only once per IP, or
### every time a scan is detected for an ip).
EXEC_EXT_SCRIPT_PER_ALERT N;
### Enable psad to run an external script or program upon setting
### iptables block (use at your own risk!)
ENABLE_EXT_BLOCK_SCRIPT_EXEC N;
### Define an external program to run after a scan is blocked.
### Note that the scan source ip can be specified on the command
### line to the external program through the use of the "SRCIP"
### string (along with some appropriate switch for the program).
### Of course this is only useful if the external program knows
### what to do with this information.
### Example: EXTERNAL_BLOCK_SCRIPT /path/to/script --ip SRCIP -v;
EXTERNAL_BLOCK_SCRIPT /bin/true;
### Some syslog daemons support a customized time stamp, so allow
### a user-specified regex to account for this when necessary (disabled
### by default). This regex should also extract the hostname from the
### syslog messages as well, so the timestamp and the hostname should be
### stored in $1 and $2 respectively. Here is an example syslog message
### and how to extract the timestamp and hostname:
### 2015-03-08T02:25:11.444012+02:00 servername kernel: ...
### ...would be handled properly with:
### ^\s*([\d\-]+T(?:\d{2}\:){2}\d{2}\S+)\s+(\S+)\s+kernel:
ENABLE_CUSTOM_SYSLOG_TS_RE N;
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
### Disk usage variables
DISK_CHECK_INTERVAL 300; ### seconds
### This can be set to 0 to disable disk checking altogether
DISK_MAX_PERCENTAGE 95;
### This can be set to 0 to have psad not place any limit on the
### number of times it will attempt to remove data from
### /var/log/psad/.
DISK_MAX_RM_RETRIES 10;
### Enable archiving of old scan directories at psad startup.
ENABLE_SCAN_ARCHIVE N;
### Truncate fwdata file at startup
TRUNCATE_FWDATA Y;
### Only archive scanning IP directories that have reached a danger
### level greater than or equal to this value. Archiving old
### scanning ip directories only takes place at psad startup.
MIN_ARCHIVE_DANGER_LEVEL 1;
### Email subject line config. Change these prefixes if you want
### psad to generate email alerts that say something other than
### the following.
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
### URL for getting the latest psad signatures
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
### These next two are psadwatchd vars
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
### Directories
INSTALL_ROOT /;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_TMP_DIR $PSAD_DIR/tmp;
REPUTATION_FEEDS_DIR $PSAD_CONF_DIR/reputation_feeds;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
### Files
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
### PID files
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
### List of ips that have been auto blocked by iptables
### or tcpwrappers (the auto blocking feature is disabled by
### default, see the psad man page and the ENABLE_AUTO_IDS
### variable).
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
### File used internally by psad to add iptables blocking
### rules to a running psad process
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
### /proc interface for controlling ip forwarding
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
### Packet counters for tcp, udp, and icmp protocols
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
### Top scanned ports
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
### Top signature matches
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
### Top attackers
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
### Counter file for Dshield alerts
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
### Counter file for iptables prefixes
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
### iptables command output and error collection files; these are
### used by IPTables::ChainMgr
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX;
IPT_ERROR_PATTERN psad_ipterr.XXXXXX;
### system binaries
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
pkillCmd /usr/bin/pkill;
ssCmd /bin/ss;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;