Provided by: psad_1.4.4-1_i386 bug

NAME

       psad - The Port Scan Attack Detector

SYNOPSIS

       psad [-a auto-dl-file ] [-c config-file ] [-l] [-h] [-B] [-A] [-F] [-S]
       [-K] [-R] [-U] [-H] [-V] [-p] [-e] [-w] [-D]  [-d]  [--signatures  sig-
       file  ] [--interval interval ] [-m messages-file ] [--snort-type type ]
       [--snort-rdir  rules-directory   ]   [--passive-os-sigs   posf-file   ]
       [--status-ip  ip  ]  [--status-dl  dl ] [--fw-file policy-file ] [--fw-
       block-ip ip ] [--fw-search fw-search file ] [--fw-analyze]  [--fw-list-
       auto] [--fw-del-chains] [--fw-dump] [--status-sort-dl] [--status-brief]
       [--no-fwcheck] [--no-daemon] [--no-rdns]  [--no-auto-dl]  [--no-kmsgsd]
       [--no-whois]  [--no-netstat] [--no-ipt-errors] [--no-passive-os] [--no-
       signatures] [--no-icmp-types] [--no-snort-sids]

DESCRIPTION

       psad  makes  use  of  iptables  log  messages  to  detect,  alert,  and
       (optionally) block port scans and other suspect traffic.  For tcp scans
       psad analyzes tcp flags to determine the scan  type  (syn,  fin,  xmas,
       etc.)  and corresponding command line options that could be supplied to
       nmap to generate such a scan.  In addition, psad makes use of many tcp,
       udp, and icmp signatures contained within the Snort intrusion detection
       system (see http://www.snort.org/) to detect suspicious network traffic
       such  as  probes  for  common  backdoors, DDoS tools, OS fingerprinting
       attempts, and more.  By default psad also  provides  alerts  for  snort
       rules  that  are  detected  directly  by  iptables through the use of a
       ruleset  generated  by  fwsnort   (http://www.cipherdyne.org/fwsnort/).
       This  enables  psad to send alerts for application layer attacks.  psad
       features a set of highly configurable danger thresholds (with  sensible
       defaults   provided)  that  allow  the  administrator  to  define  what
       constitutes a port scan or other suspect traffic.  Email alerts sent by
       psad  contain the scanning ip, number of packets sent to each port, any
       tcp, udp, or icmp signatures that have been matched  (e.g.  "NMAP  XMAS
       scan"), the scanned port range, the current danger level (from 1 to 5),
       reverse dns info, and  whois  information.   psad  also  makes  use  of
       various  packet  header  fields  associated  with  TCP  SYN  packets to
       passively fingerprint remote operating systems (in a manner similar  to
       the  p0f  fingerprinter) from which scans originate.  This requires the
       use of the --log-tcp-options argument for Netfilter logging  rules;  if
       this option is not used, psad will fall back to a fingerprinting method
       that makes use of packet length, TTL and TOS values,  IP  id,  and  tcp
       window sizes.

       psad Syslog needs to be configured to write all kern.info messages to a
       named pipe /var/lib/psad/psadfifo. A simple

              echo -ekern.info\t|/var/lib/psad/psadfifo>> /etc/syslog.conf

       will  do.  Remember  also  to  restart syslog after the changes to this
       file.

       Psad reads all messages out of the pipe that are matched  by  a  string
       designed  to  catch  any  packets  that  have been logged (and possibly
       dropped) by the firewall.  In this way psad is  supplied  with  a  pure
       data  stream  that  exclusively  contains packets that the firewall has
       deemed unfit to enter the network.  psad  consists  of  three  daemons:
       psad,  kmsgsd,  and psadwatchd.  psad is responsible for processing all
       packets that  have  been  logged  by  the  firewall  and  applying  the
       signature  logic  in  order  to  determine  what  type of scan has been
       leveraged  against  the  machine  and/or  network.   kmsgsd  reads  all
       messages  that  have  been  written to the /var/lib/psad/psadfifo named
       pipe  and  writes  any  message  that  matches  a  particular   regular
       expression  (or  string)  to  /var/log/psad/fwdata.   psadwatchd  is  a
       software watchdog that will restart any of the other two daemons should
       a daemon die for any reason.

OPTIONS

       -c, --config <configuration-file>
              By  default  all of the psad makes use of the configuration file
              /etc/psad/psad.conf for  almost  all  configuration  parameters.
              psad can be made to override this path by specifying a different
              file on the command line with the --config option.

       -s, --signatures <signatures-file>
              The iptables firewalling code included within  the  linux  2.4.x
              kernel  series has the ability to distinguish and log any of the
              tcp flags present within tcp packets that traverse the  firewall
              interfaces.  psad makes use of this logging capability to detect
              several  types  of   tcp   scan   signatures   included   within
              /etc/psad/signatures.   The  signatures were originally included
              within the snort intrusion detection system.  New signatures can
              be included and modifications to existing signatures can be made
              to the signature file and psad  will  import  the  changes  upon
              receiving  a  HUP  signal  (see  the  --HUP command line option)
              without having to restart the psad process.  psad  also  detects
              many  udp  and  icmp  signatures  that  were originally included
              within snort.

       -A, --Analyze-msgs
              Analyze an iptables logfile  for  scans  and  exit.   This  will
              generate  email  alerts  just  as  a normal running psad process
              would have for all logged scans.  By default the psad data  file
              /var/log/psad/fwdata  is  parsed for old scans, but any file can
              be specified through the use of the --messages-file command line
              option.   For  example  it might be useful to point psad at your
              /var/log/messages file.

       -e, --email-analysis
              Send alert emails when run in --Analyze-msgs mode.  Depending on
              the  size  of  the  iptables logfile, using the --email-analysis
              option could extend the runtime of psad by  quite  a  bit  since
              normally  both DNS and whois lookups will be issued against each
              scanning IP address.  As usual these  lookups  can  be  disabled
              with the --no-rdns and --no-whois options respectively.

       -w, --whois-analysis
              By  default  psad  does  not issue whois lookups when running in
              --Analyze-msgs mode.  The --whois-analysis option will  override
              this  behavior  (when run in analysis mode) and instruct psad to
              issue whois lookups against IP addresses  from  which  scans  or
              other suspect traffic has originated.

       --snort-type <type>
              Restrict  the  type  of snort sids to type.  Allowed types match
              the file names given  to  snort  rules  files  such  as  "ddos",
              "backdoor", and "web-attacks".

       --snort-rdir <snort-rules-directory>
              Manually  specify  the directory where the snort rules files are
              located.  The default is /etc/psad/snort_rules.

       --passive-os-sigs <passive-os-sigs-file>
              Manually specify  the  path  to  the  passive  operating  system
              fingerprinting  signatures file.  The default is /etc/psad/posf.

       -a, --auto-dl <auto-dl-file>
              Occasionally certain  IP  addresses  are  repeat  offenders  and
              should  automatically  be given a higher danger level than would
              normally be  assigned.   Additionally,  some  IP  addresses  can
              always  be  ignored depending on your network configuration (the
              loopback interface 127.0.0.1  might  be  a  good  candidate  for
              example).   /etc/psad/auto_dl  provides an interface for psad to
              automatically  increase/decrease/ignore   scanning   IP   danger
              levels.   Modifications  can  be  made  to auto_dl (installed by
              default in /etc/psad) and psad will import them  without  having
              to restart the psad process.

       --fw-search <fw_search-file>
              By  default  all  of  the  psad makes use of the firewall search
              configuration file /etc/psad/fw_search.conf for firewall  search
              mode and search strings.  psad can be made to override this path
              by specifying a different file on  the  command  line  with  the
              --fw-search option.

       -F, --Flush
              Remove  any  auto-generated  firewall  block  rules  if psad was
              configured  to  automatically  respond   to   scans   (see   the
              ENABLE_AUTO_IDS variable in psad.conf).

       -S, --Status
              Display  the  status  of  any  psad processes that may or not be
              running.  The status output contains a listing of the number  of
              packets  that  have  been  processed  by psad, along with all IP
              addresses and corresponding danger levels that have scanned  the
              network.

       --status-ip <ip>
              Display  status  information  associated  with  ip  such  as the
              protocol packet counters as well as the last 10  packets  logged
              by iptables.

       --status-dl <dl>
              Display  status  information  only for scans that have reached a
              danger level of at least dl

       --status-sort-dl
              Sort status output by  danger  level.   The  default  output  is
              sorted  by  IP address to show scans that may be associated with
              the same network in an easily readable format.

       --status-brief
              Instruct psad to remove OS guess information and alert  counters
              from  --Status  output.   This is useful for viewing psad status
              info on terminals that are not very wide.

       -m, --messages-file <file>
              This option is used to specify the file that will be  parsed  in
              analysis mode (see the --Analyze-msgs option).  The default path
              is the psad data file /var/log/psad/fwdata.

       -K, --Kill
              Kill the current psad process along with psadwatchd and  kmsgsd.
              This  provides  a  quick and easy way to kill all psad processes
              without having to look in the process table  or  appeal  to  the
              psad-init script.

       -R, --Restart
              Restart  the currently running psad processes.  This option will
              preserve the command line options  that  were  supplied  to  the
              original psad process.

       -B, --Benchmark
              Run  psad  in  benchmark  mode.   By default benchmark mode will
              simulate a scan of 10,000 packets (see the --packets option) and
              then  report  the  elapsed time.  This is useful to see how fast
              psad can process packets on a specific machine.

       -p, --packets <packets>
              Specify the number of packets to use  in  benchmark  mode.   The
              default is 10,000 packets.

       --fw-list-auto
              List  all  rules  in  Netfilter  chains that are used by psad in
              auto-blocking mode.

       --fw-analyze
              Analyze the local iptables ruleset, send any  alerts  if  errors
              are discovered, and then exit.

       --fw-del-chains
              By  default,  if  ENABLE_AUTO_IDS  is  set  to "Y" psad will not
              delete   the   auto-generated   Netfilter   chains   (see    the
              IPT_AUTO_CHAIN  keywords  in psad.conf) if the --Flush option is
              given.  The --fw-del-chains option overrides this  behavior  and
              deletes  the  auto-blocking  chains  from  a  running  Netfilter
              firewall.

       --fw-dump
              Instruct psad to dump the contents of the Netfilter policy  that
              is  running  on  the local system.  All IP addresses are removed
              from the resulting output, so it is safe to  post  to  the  psad
              list,  or communicate to others.  This option is most often used
              with --Dump-conf.

       --fw-block-ip <ip>
              Specify an IP  address  or  network  to  add  to  the  Netfilter
              controls  that  are auto-generated by psad.  This allows psad to
              manage the rule timeouts.

       --fw-file <policy-file>
              Analyze  the  iptables  ruleset  contained  within   policy-file
              instead of the ruleset currently loaded on the local system.

       --interval <seconds>
              Specify  the interval (in seconds) that psad should use to check
              whether or not packets have been logged by the  firewall.   psad
              will  use  the default of 15 seconds unless a different value is
              specified.

       -U, --USR1
              Send a running psad process a USR1 signal.  This will cause psad
              to   dump   the   contents   of  the  %Scan  hash  to  the  file
              "/var/log/psad/scan_hash.$$" where "$$" represents  the  pid  of
              the psad process.  This is mostly useful for debugging purposes,
              but it also allows the administrator  to  peer  into  the  %Scan
              hash,  which  is  the  primary data structure used to store scan
              data within system memory.

       -H, --HUP
              Send all running psad daemons a HUP signal.  This will  instruct
              the  daemons  to  re-read  their  respective configuration files
              without causing scan data to be lost in the process.

       -d, --debug
              Run psad in debugging mode.   This  will  automatically  prevent
              psad  from  running  as a daemon, and will print the contents of
              the %Scan hash and a few  other  things  on  STDOUT  at  crucial
              points as psad executes.

       -D, --Dump-conf
              Dump the current psad config to STDOUT and exit.  Various pieces
              of information such as the home network, alert email  addresses,
              and  DShield user id are removed from the resulting output so it
              is safe to send to others.

       -l, --log-server
              This option should be used if psad is being executed on a syslog
              logging  server.  Running psad on a logging server requires that
              check_firewall_rules() and auto_psad_response() not be  executed
              since the firewall is probably not being run locally.

       -V, --Version
              Print the psad version and exit.

       --no-daemon
              Do  not  run  psad  as  a daemon.  This option will display scan
              alerts on STDOUT instead of emailing them out.

       --no-ipt-errors
              Occasionally   iptables   messages   written   by   syslog    to
              /var/lib/psad/psadfifo or to /var/log/messages do not conform to
              the normal firewall logging format if  the  kernel  ring  buffer
              used  by  klogd  becomes full.  psad will write these message to
              /var/log/psad/errs/fwerrorlog by default.  Passing the --no-ipt-
              errors  option will make psad ignore all such erroneous firewall
              messages.

       --no-whois
              By default psad will issue a whois query  against  any  IP  from
              which  a  scan has originated, but this can be disabled with the
              --no-whois command line argument.

       --no-fwcheck
              psad performs a rudimentary check of the firewall  ruleset  that
              exists  on  the  machine  on which psad is deployed to determine
              whether or not the firewall has a compatible configuration (i.e.
              iptables has been configured to log packets).  Passing the --no-
              fwcheck or --log-server options will disable this check.

       --no-auto-dl
              Disable auto danger level assignments.  This  will  instruct  to
              not   import   any  IP  addresses  or  networks  from  the  file
              /etc/psad/auto_dl.

       --no-snort-sids
              Disable snort sid processing mode.  This will instruct  psad  to
              not  import  snort  rules  (for  snort  SID matching in a policy
              generated by fwsnort ).

       --no-signatures
              Disable  psad  signature  processing.    Note   that   this   is
              independent of snort SID matching in iptables messages generated
              by fwsnort and also from the icmp type/code validation routines.

       --no-icmp-types
              Disable icmp type and code field validation.

       --no-passive-os
              By  default psad will attempt to passively (i.e. without sending
              any packets) fingerprint the remote operating system from  which
              a  scan  originates.   Passing  the  --no-passive-os option will
              disable this feature.

       --no-rdns
              psad normally attempts  to  find  the  name  associated  with  a
              scanning  IP  address, but this feature can be disabled with the
              --no-rdns command line argument.

       --no-kmsgsd
              Disable startup of kmsgsd.   This  option  is  most  useful  for
              debugging with individual iptables messages so that new messages
              are not appended to the /var/log/psad/fwdata file.

       --no-netstat
              By default for iptables firewalls psad will determine whether or
              not  your  machine  is  listening  on  a  port  for  which a tcp
              signature has been matched.   Specifying  --no-netstat  disables
              this feature.

       -h, --help
              Print a page of usage information for psad and exit.

FILES

       /etc/psad/psad.conf
              The  main  psad  configuration file which contains configuration
              variables mentioned in the section below.

       /etc/psad/fw_search.conf
              Used to configure the strategy both psad and  kmsgsd  employ  to
              parse  iptables  messages.  Using configuration directive within
              this file, psad can be configured to parse all iptables messages
              or  only  those  that match specific log prefix strings (see the
              --log-prefix option to iptables).

       /etc/psad/signatures
              Contains the signatures psad uses to  recognize  nasty  traffic.
              The  signatures  are  written  in  a  manner similar to the *lib
              signature files used in the snort IDS.

       /etc/psad/icmp_types
              Contains all valid icmp types and corresponding codes as defined
              by  RFC  792.   By  default,  icmp packets are validated against
              these values and an alert will be generated  if  a  non-matching
              icmp packet is logged by iptables.

       /etc/psad/snort_rules/*.rules
              Snort rules files that are consulted by default unless the --no-
              snort-sids commmand line argument is given.

       /etc/psad/auto_dl
              Contains a listing of any IP addresses that should be assigned a
              danger  level  based  on  any  traffic  that  is  logged  by the
              firewall.  The syntax is "<IP  address>  <danger  level>"  where
              <danger  level>  is  an  integer  from 0 to 5, with 0 meaning to
              ignore all traffic from <IP address>, and 5  is  to  assign  the
              highest danger level to <IP address>.

       /etc/psad/posf
              Contains   a   listing   of   all   passive   operating   system
              fingerprinting  signatures.   These  signatures  include  packet
              lengths,  ttl,  tos,  IP id, and tcp window size values that are
              specific to various operating systems.

PSAD CONFIGURATION VARIABLES

       This  section  describes  what  each  of  the   more   important   psad
       configuration  variables  do  and  how  they  can be tuned to meet your
       needs.  Most of the variables are located  in  the  psad  configuration
       file   /etc/psad/psad.conf  but  the  FW_SEARCH_ALL  and  FW_MSG_SEARCH
       variables are  located  in  the  file  /etc/psad/fw_search.conf.   Each
       variable  is  assigned sensible defaults for most network architectures
       during the install process.  More information on psad  config  keywords
       may be found at: http://www.cipherdyne.org/psad/config.html

       EMAIL_ADDRESSES
              Contains  a  comma-separated  list  of  email addresses to which
              email alerts will be sent.  The default is "root@localhost".

       HOSTNAME
              Defines the hostname of the machine on which  psad  is  running.
              This will be used in the email alerts generated by psad.

       HOME_NET
              Define  the  internal network(s) that are connected to the local
              system.  This will be used in the  signature  matching  code  to
              determine  whether traffic matches snort rules, which invariably
              contain a source and destination network.  Multiple networks are
              supported  as a comma separated list, and each network should be
              specified in CIDR notation.  Normally the  network(s)  contained
              in  the  HOME_NET  variable  should be directly connected to the
              machine that is running psad.

       IMPORT_OLD_SCANS
              Preserve scan data  across  restarts  of  psad  or  even  across
              reboots  of  the machine.  This is accomplished by importing the
              data contained in the filesystem cache  psad  writes  to  during
              normal  operation  back  into  memory  as  psad is started.  The
              filesystem  cache  data  in  contained  within   the   directory
              /var/log/psad.

       FW_SEARCH_ALL
              Defines  the  search  mode psad uses to parse iptables messages.
              By default FW_SEARCH_ALL is  set  to  "Y"  since  normally  most
              people  want  all  iptables  log  messages to be parsed for scan
              activity.  However, if FW_SEARCH_ALL is set to  "N",  psad  will
              only parse those iptables log messages that match certain search
              strings that appear  in  iptables  logs  with  the  --log-prefix
              option.   This is useful for restricting psad to only operate on
              specific iptables chains or rules.  The  strings  that  will  be
              searched  for  are  defined with the FW_MSG_SEARCH variable (see
              below).  The FW_SEARCH_ALL  variable  is  defined  in  the  file
              /etc/psad/fw_search.conf since it is referenced by both psad and
              kmsgsd.

       FW_MSG_SEARCH
              Defines a set of search  strings  that  psad  uses  to  identify
              iptables  messages  that  should  be  parsed  for scan activity.
              These  search  strings  should  match  the  log  prefix  strings
              specified  in the iptables ruleset with the --log-prefix option,
              and the default value for FW_MSG_SEARCH is  "DROP".   Note  that
              psad   normally   parses  all  iptables  messages,  and  so  the
              FW_MSG_SEARCH variable is  only  needed  if  FW_SEARCH_ALL  (see
              above)  is set to "N".  The FW_MSG_SEARCH variable is referenced
              by  both  psad  and   kmsgsd   so   it   lives   in   the   file
              /etc/psad/fw_search.conf.

       SYSLOG_DAEMON
              Define  the  specific  syslog  daemon that psad should interface
              with.  Psad supports three syslog daemons:  syslogd,  syslog-ng,
              and metalog.  The default value of SYSLOG_DAEMON is syslogd.

       IGNORE_PORTS
              Specify  a  list  of  port  ranges  and/or  individual ports and
              corresponding protocols that psad should complete ignore.   This
              is  particularly useful for ignore ports that are used as a part
              of    a    port    knocking    scheme    (such     as     fwknop
              http://www.cipherdyne.org/fwknop)   for  network  authentication
              since such log messages generated  by  the  knock  sequence  may
              otherwise  be interpreted as a scan.  Multiple ports and/or port
              ranges  may  be  specified  as  a  comma-separated  list,   e.g.
              "tcp/22, tcp/61000-61356, udp/53".

       ENABLE_PERSISTENCE
              If  "Y",  psad  will  keep  all scans in memory and not let them
              timeout.   This  can  help  discover  stealthy  scans  where  an
              attacker tries to slip beneath IDS thresholds by only scanning a
              few ports over a long period of time.  ENABLE_PERSISTENCE is set
              to "Y" by default.

       SCAN_TIMEOUT
              If ENABLE_PERSISTENCE is "N" then psad will use the value set by
              SCAN_TIMEOUT  to  remove  packets  from   the   scan   threshold
              calculation.  The default is 3600 seconds (1 hour).

       DANGER_LEVEL{1,2,3,4,5}
              psad uses a scoring system to keep track of the severity a scans
              reaches (represented  as  a  "danger  level")  over  time.   The
              DANGER_LEVEL{n} variables define the number of packets that must
              be  dropped  by  the  firewall  before  psad  will  assign   the
              respective  danger  level  to  the  scan.   A  scan  may also be
              assigned a  danger  level  if  the  scan  matches  a  particular
              signature  contained  in  the  signatures  file.  There are five
              possible danger levels with one being the lowest  and  five  the
              highest.   Note there are several factors that can influence how
              danger levels are calculated: whether or not a  scan  matches  a
              signature   listed   in   /etc/psad/signatures,   the  value  of
              PORT_RANGE_SCAN_THRESHOLD (see below), whether  or  not  a  scan
              comes  from  an IP that is listed in the /etc/psad/auto_dl file,
              and finally whether or not  scans  are  allowed  to  timeout  as
              determined  by SCAN_TIMEOUT above.  If a signature is matched or
              the  scanning  IP  is  listed  in  /etc/psad/auto_dl,  then  the
              corresponding  danger  level  is  automatically  assigned to the
              scan.

       PORT_RANGE_SCAN_THRESHOLD
              Defines the minimum difference between the lowest port  and  the
              highest  port  scanned before an alert is sent (the default is 1
              which means that at least two ports must be scanned to  generate
              an alert).  For example, suppose an ip repeatedly scans a single
              port for which there is  no  special  signature  in  signatures.
              Then  if  PORT_RANGE_SCAN_THRESHOLD=1,  psad  will never send an
              alert for this "scan" no matter how many packets are sent to the
              port  (i.e.  no matter what the value of DANGER_LEVEL1 is).  The
              reason for the default of 1 is that a "scan" usually means  that
              at  least two ports are probed, but if you want psad to be extra
              paranoid you can set  PORT_RANGE_SCAN_THRESHOLD=0  to  alert  on
              scans  to  single  ports  (as long as the number of packets also
              exceeds DANGER_LEVEL1).

       SHOW_ALL_SIGNATURES
              If "Y", psad will display all signatures detected from a  single
              scanning  IP  since  a  scan  was first detected instead of just
              displaying newly-detected  signatures.   SHOW_ALL_SIGNATURES  is
              set  to  "N"  by default.  All signatures are listed in the file
              /etc/psad/signatures.

       SNORT_SID_STR
              Defines the string  kmsgsd  will  search  for  in  iptables  log
              messages that are generated by iptables rules designed to detect
              snort   rules.    The   default   is   "SID".     See    fwsnort
              (http://www.cipherdyne.org/fwsnort/).

       ENABLE_DSHIELD_ALERTS
              Enable  dshield  alerting mode.  This will send a parsed version
              of iptables log  messages  to  dshield.org  which  is  a  (free)
              distributed  intrusion detection service.  For more information,
              see http://www.dshield.org.

       IGNORE_CONNTRACK_BUG_PKTS
              If "Y", all tcp packets that have the ACK or RST flag  bits  set
              will  be ignored by psad since usually we see such packets being
              blocked as a result of the  iptables  connection  tracking  bug.
              Note  there  are no signatures that make use of the RST flag and
              very few that use ACK flag.

       ALERT_ALL
              If "Y", send email for all new bad packets instead of just  when
              a danger level increases.  ALERT_ALL is set to "Y" by default.

       PSAD_EMAIL_LIMIT
              Defines  the  maximum  number  of emails that will be sent for a
              single scanning IP (default is 50).   This  variable  gives  you
              some  protection  from  psad  sending  countless alerts if an IP
              scans your machine constantly.  psad will send a  special  alert
              if  an  IP has exceeded the email limit.  If PSAD_EMAIL_LIMIT is
              set to zero, then psad will ignore  the  limit  and  send  alert
              emails indefinitely for any scanning ip.

       EMAIL_ALERT_DANGER_LEVEL
              Defines  the  danger level a scan must reach before any alert is
              sent.  This variable is set to 1 by default.

       ENABLE_AUTO_IDS
              psad has the capability of dynamically blocking all traffic from
              an  IP  that  has  reached a (configurable) danger level through
              modification of iptables  or  tcpwrapper  rulesets.   IMPORTANT:
              This  feature is disabled by default since it is possible for an
              attacker to spoof packets from a  well  known  (web)site  in  an
              effort  to  make  it  look  as  though the site is scanning your
              machine, and then psad will consequently block all access to it.
              Also,  psad  works  by parsing firewall messages for packets the
              firewall has already dropped, so the  "scans"  are  unsuccessful
              anyway.   However,  some administrators prefer to take this risk
              anyway reasoning that they can always  review  which  sites  are
              being  blocked  and  manually remove the block if necessary (see
              the --Flush option).  Your mileage will vary.

       AUTO_IDS_DANGER_LEVEL
              Defines the danger level a scan  must  reach  before  psad  will
              automatically block the IP (ENABLE_AUTO_IDS must be set to "Y").

EXAMPLES

       The following examples illustrate the command line arguments that could
       be supplied to psad in a few situations:

       Signature  checking, passive OS fingerprinting, and automatic IP danger
       level assignments are enabled by default without having to specify  any
       command line arguments (best for most situations):

       # psad

       Same as above, but this time we use the init script to start psad:

       # /etc/init.d/psad start

       Use  psad  as a forensics tool to analyze an old iptables logfile (psad
       defaults to analyzing the /var/log/messages file if the  -m  option  is
       not specified):

       # psad -A -m <iptables logfile>

       The  psad.conf,  signatures,  and  auto_dl  files  are normally located
       within the /etc/psad/ directory, but the paths to each of  these  files
       can be changed:

       # psad -c <config file> -s <signatures file> -a <auto ips file>

       Disable  the firewall check and the local port lookup subroutines; most
       useful if psad is deployed on a syslog logging server:

       # psad --log-server --no-netstat

       Disable reverse dns and whois lookups of scanning  IP  addresses;  most
       useful if speed of psad is the main concern:

       # psad --no-rdns --no-whois

DEPENDENCIES

       psad  requires that iptables is configured with a "drop and log" policy
       for any traffic that  is  not  explicitly  allowed  through.   This  is
       consistent  with  a secure network configuration since all traffic that
       has not been explicitly allowed  should  be  blocked  by  the  firewall
       ruleset.   By  default,  psad  attempts to determine whether or not the
       firewall has been configured in this way.  This feature can be disabled
       with the --no-fwcheck or --log-server options.  The --log-server option
       is useful if psad is  running  on  a  syslog  logging  server  that  is
       separate  from  the  firewall.   For  more  information  on  compatible
       iptables rulesets, see the FW_EXAMPLE_RULES file that is  bundled  with
       the psad source distribution.

       psad  also  requires  that  syslog be configured to write all kern.info
       messages to the named pipe /var/lib/psad/psadfifo.  A simple

              echo -ekern.info\t|/var/lib/psad/psadfifo>> /etc/syslog.conf

       will  do.   Remember  also  to restart syslog after the changes to this
       file.

DIAGNOSTICS

       The --debug option can be used to display crucial information about the
       psad  data  structures  on  STDOUT  as  a  scan  generates firewall log
       messages.  --debug disables daemon mode execution.

       Another more effective way to peer into the runtime execution  of  psad
       is to send (as root) a USR1 signal to the psad process which will cause
       psad   to   dump    the    contents    of    the    %Scan    hash    to
       /var/log/psad/scan_hash.$$  where  $$  represents  the  pid of the psad
       process.

SEE ALSO

       iptables(8), kmsgsd(8), psadwatchd(8), fwsnort(8),  snort(8),  nmap(1),
       pscan(8), psadwatchd(8), diskmond(8), kmsgsd(8), p0f(1)

AUTHOR

       Michael Rash <mbr@cipherdyne.org>

BUGS

       Send  bug  reports  to mbr@cipherdyne.org.  Suggestions and/or comments
       are always welcome as well.

       -For iptables firewalls as of  Linux  kernel  version  2.4.26,  if  the
       ip_conntrack  module  is  loaded  (or compiled into the kernel) and the
       firewall has been configured to keep state of connections, occasionally
       packets  that are supposed to be part of normal TCP traffic will not be
       correctly identified due to a bug in the firewall  state  timeouts  and
       hence dropped.  Such packets will then be interpreted as a scan by psad
       even though they are not part of any malicious activity.   Fortunately,
       an   interim   fix   for   this   problem   is  to  simply  extend  the
       TCP_CONNTRACK_CLOSE_WAIT           timeout           value           in
       linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c  from 60 seconds to 2
       minutes, and a set of kernel patches is included  within  the  patches/
       directory  in  the  psad  sources  to  change this.  (Requires a kernel
       recompile of course; see  the  Kernel-HOWTO.)   Also,  by  default  the
       IGNORE_CONNTRACK_BUG_PKTS  variable  is  set  to "Y" in psad.conf which
       causes psad to ignore all tcp packets that have the ACK bit set  unless
       the packets match a specific signature.

DISTRIBUTION

       psad is distributed under the GNU General Public License (GPL), and the
       latest version may be downloaded from: http://www.cipherdyne.org