Provided by: psad_2.1.7-1_i386 bug


       psad - The Port Scan Attack Detector


       psad [options]


       psad  makes  use  of  iptables  log  messages  to  detect,  alert,  and
       (optionally) block port scans and other suspect traffic.  For TCP scans
       psad  analyzes  TCP  flags  to determine the scan type (syn, fin, xmas,
       etc.) and corresponding command line options that could be supplied  to
       nmap to generate such a scan.  In addition, psad makes use of many TCP,
       UDP, and ICMP signatures contained within the Snort intrusion detection
       system (see to detect suspicious network traffic
       such as probes for common  backdoors,  DDoS  tools,  OS  fingerprinting
       attempts,  and  more.   By  default psad also provides alerts for snort
       rules that are detected directly by  iptables  through  the  use  of  a
       ruleset   generated  by  fwsnort  (
       This enables psad to send alerts for application layer  attacks.   psad
       features  a set of highly configurable danger thresholds (with sensible
       defaults  provided)  that  allow  the  administrator  to  define   what
       constitutes a port scan or other suspect traffic.  Email alerts sent by
       psad contain the scanning ip, number of packets sent to each port,  any
       TCP,  UDP,  or  ICMP signatures that have been matched (e.g. "NMAP XMAS
       scan"), the scanned port range, the current danger level (from 1 to 5),
       reverse  dns  info,  and  whois  information.   psad  also makes use of
       various packet  header  fields  associated  with  TCP  SYN  packets  to
       passively  fingerprint remote operating systems (in a manner similar to
       the p0f fingerprinter) from which scans originate.  This  requires  the
       use  of  the  --log-tcp-options argument for iptables logging rules; if
       this option is not used, psad will fall back to a fingerprinting method
       that  makes  use  of  packet length, TTL and TOS values, IP ID, and TCP
       window sizes.

       psad configures syslog to write all messages to a named  pipe
       /var/lib/psad/psadfifo and then reads all messages out of the pipe that
       are matched by a string designed to catch any packets  that  have  been
       logged  (and  possibly  dropped)  by the firewall.  In this way psad is
       supplied with a pure data stream that exclusively contains packets that
       the  firewall  has deemed unfit to enter the network.  psad consists of
       three daemons: psad, kmsgsd, and psadwatchd.  psad is  responsible  for
       processing  all  packets  that  have  been  logged  by the firewall and
       applying the signature logic in order to determine what  type  of  scan
       has  been  leveraged  against the machine and/or network.  kmsgsd reads
       all messages that have been written to the /var/lib/psad/psadfifo named
       pipe   and  writes  any  message  that  matches  a  particular  regular
       expression  (or  string)  to  /var/log/psad/fwdata.   psadwatchd  is  a
       software watchdog that will restart any of the other two daemons should
       a daemon die for any reason.


       -A, --Analyze-msgs
              Analyze an iptables logfile  for  scans  and  exit.   This  will
              generate  email  alerts  just  as  a normal running psad process
              would have for all logged scans.  By default the psad data  file
              /var/log/psad/fwdata  is  parsed for old scans, but any file can
              be specified through the use of the --messages-file command line
              option.   For  example  it might be useful to point psad at your
              /var/log/messages file.

       -i, --interface <interface>
              Specify the interface that psad will examine  for  iptables  log
              messages.   This interface will be the IN= interface for packets
              that are logged in the INPUT and FORWARD chains,  and  the  OUT=
              interface for packets logged in the OUTPUT chain.

              Instruct  psad  to  download  the  latest  set of modified Snort
              signatures  from   so
              that  psad  can take advantage of signature updates before a new
              release is made.

       -O, --Override-config <file>
              Override config variable values that are normally read from  the
              /etc/psad/psad.conf  file  with  values from the specified file.
              Multiple override config files can be given as a comma separated

       -D, --Dump-conf
              Dump the current psad config to STDOUT and exit.  Various pieces
              of information such as the home network, alert email  addresses,
              and  DShield user id are removed from the resulting output so it
              is safe to send to others.

       -F, --Flush
              Remove any auto-generated  firewall  block  rules  if  psad  was
              configured   to   automatically   respond   to  scans  (see  the
              ENABLE_AUTO_IDS variable in psad.conf).

       -S, --Status
              Display the status of any psad processes  that  may  or  not  be
              running.   The status output contains a listing of the number of
              packets that have been processed by  psad,  along  with  all  IP
              addresses  and corresponding danger levels that have scanned the

       --status-ip <ip>
              Display status  information  associated  with  ip  such  as  the
              protocol  packet  counters as well as the last 10 packets logged
              by iptables.

       --status-dl <dl>
              Display status information only for scans that  have  reached  a
              danger level of at least dl

              Instruct  psad to omit detailed IP information from --Status and
              --Analyze modes.

       -m, --messages-file <file>
              This option is used to specify the file that will be  parsed  in
              analysis mode (see the --Analyze-msgs option).  The default path
              is the psad data file /var/log/psad/fwdata.

       --CSV  Instruct  psad  to  parse   iptables   log   messages   out   of
              /var/log/messages  (by defult, but this path can be changed with
              the -m option), and print the packet fields on STDOUT in  comma-
              separate value format.  This is useful for graphing iptables log
              data              with              AfterGlow               (see

       --CSV-fields <tokens>
              Instruct  psad  to  only  include a specific set of iptables log
              message fields within the CSV output.  AfterGlow accepts  up  to
              three  fields  for  its  graph data, so the most common usage of
              this option is "src dst dp" to print the source and  destination
              IP addresses, and the destination port number.

       -K, --Kill
              Kill  the current psad process along with psadwatchd and kmsgsd.
              This provides a quick and easy way to kill  all  psad  processes
              without  having  to  look  in the process table or appeal to the
              psad-init script.

       -R, --Restart
              Restart the currently running psad processes.  This option  will
              preserve  the  command  line  options  that were supplied to the
              original psad process.

       -U, --USR1
              Send a running psad process a USR1 signal.  This will cause psad
              to   dump   the   contents   of  the  %Scan  hash  to  the  file
              "/var/log/psad/scan_hash.$$" where "$$" represents  the  pid  of
              the psad process.  This is mostly useful for debugging purposes,
              but it also allows the administrator  to  peer  into  the  %Scan
              hash,  which  is  the  primary data structure used to store scan
              data within system memory.

       -H, --HUP
              Send all running psad daemons a HUP signal.  This will  instruct
              the  daemons  to  re-read  their  respective configuration files
              without causing scan data to be lost in the process.

       -B, --Benchmark
              Run psad in benchmark mode.   By  default  benchmark  mode  will
              simulate a scan of 10,000 packets (see the --packets option) and
              then report the elapsed time.  This is useful to  see  how  fast
              psad can process packets on a specific machine.

       -p, --packets <packets>
              Specify  the  number  of  packets to use in benchmark mode.  The
              default is 10,000 packets.

       -d, --debug
              Run psad in debugging mode.   This  will  automatically  prevent
              psad  from  running  as a daemon, and will print the contents of
              the %Scan hash and a few  other  things  on  STDOUT  at  crucial
              points as psad executes.

       -c, --config <configuration-file>
              By  default  all of the psad makes use of the configuration file
              /etc/psad/psad.conf for  almost  all  configuration  parameters.
              psad can be made to override this path by specifying a different
              file on the command line with the --config option.

       --signatures <signatures-file>
              The iptables firewalling code included within  the  linux  2.4.x
              kernel  series has the ability to distinguish and log any of the
              TCP flags present within TCP packets that traverse the  firewall
              interfaces.  psad makes use of this logging capability to detect
              several  types  of   TCP   scan   signatures   included   within
              /etc/psad/signatures.   The  signatures were originally included
              within the snort intrusion detection system.  New signatures can
              be included and modifications to existing signatures can be made
              to the signature file and psad  will  import  the  changes  upon
              receiving  a  HUP  signal  (see  the  --HUP command line option)
              without having to restart the psad process.  psad  also  detects
              many  UDP  and  ICMP  signatures  that  were originally included
              within snort.

       -e, --email-analysis
              Send alert emails when run in --Analyze-msgs mode.  Depending on
              the  size  of  the  iptables logfile, using the --email-analysis
              option could extend the runtime of psad by  quite  a  bit  since
              normally  both DNS and whois lookups will be issued against each
              scanning IP address.  As usual these  lookups  can  be  disabled
              with the --no-rdns and --no-whois options respectively.

       -w, --whois-analysis
              By  default  psad  does  not issue whois lookups when running in
              --Analyze-msgs mode.  The --whois-analysis option will  override
              this  behavior  (when run in analysis mode) and instruct psad to
              issue whois lookups against IP addresses  from  which  scans  or
              other suspect traffic has originated.

       --snort-type <type>
              Restrict  the  type  of snort sids to type.  Allowed types match
              the file names given  to  snort  rules  files  such  as  "ddos",
              "backdoor", and "web-attacks".

       --snort-rdir <snort-rules-directory>
              Manually  specify  the directory where the snort rules files are
              located.  The default is /etc/psad/snort_rules.

       --passive-os-sigs <passive-os-sigs-file>
              Manually specify  the  path  to  the  passive  operating  system
              fingerprinting signatures file.  The default is /etc/psad/posf.

       -a, --auto-dl <auto-dl-file>
              Occasionally  certain  IP  addresses  are  repeat  offenders and
              should automatically be given a higher danger level  than  would
              normally  be  assigned.   Additionally,  some  IP  addresses can
              always be ignored depending on your network  configuration  (the
              loopback  interface  might  be  a  good candidate for
              example).  /etc/psad/auto_dl provides an interface for  psad  to
              automatically   increase/decrease/ignore   scanning   IP  danger
              levels.  Modifications can be  made  to  auto_dl  (installed  by
              default  in  /etc/psad) and psad will import them with 'psad -H'
              or by restarting the psad process.

       --fw-search <fw_search-file>
              By default all of the psad makes  use  of  the  firewall  search
              configuration  file /etc/psad/fw_search.conf for firewall search
              mode and search strings.  psad can be made to override this path
              by  specifying  a  different  file  on the command line with the
              --fw-search option.

              List all rules in iptables chains that are used by psad in auto-
              blocking mode.

              Analyze  the  local  iptables ruleset, send any alerts if errors
              are discovered, and then exit.

              By default, if ENABLE_AUTO_IDS is  set  to  "Y"  psad  will  not
              delete    the    auto-generated   iptables   chains   (see   the
              IPT_AUTO_CHAIN keywords in psad.conf) if the --Flush  option  is
              given.   The  --fw-del-chains option overrides this behavior and
              deletes  the  auto-blocking  chains  from  a  running   iptables

              Instruct  psad  to dump the contents of the iptables policy that
              is running on the local system.  All IP  addresses  are  removed
              from  the  resulting  output,  so it is safe to post to the psad
              list, or communicate to others.  This option is most often  used
              with --Dump-conf.

       --fw-block-ip <ip>
              Specify an IP address or network to add to the iptables controls
              that are auto-generated by psad.  This allows psad to manage the
              rule timeouts.

       --fw-rm-block-ip <ip>
              Specify  an  IP  address  or network to remove from the iptables
              controls that are auto-generated by psad.

       --fw-file <policy-file>
              Analyze  the  iptables  ruleset  contained  within   policy-file
              instead of the ruleset currently loaded on the local system.

       --CSV-regex <regex>
              Instruct  psad  to only print CSV data that matches the supplied
              regex.  This regex is used to match against each of  the  entire
              iptables log messages.

       --CSV-neg-regex <regex>
              Instruct  psad  to  only  print CSV data that does not match the
              supplied regex.  This regex is used to negatively match  against
              each of the entire iptables log messages.

              Instruct psad to only print unique CSV data.  That is, each line
              printed in --CSV mode will be unique.

       --CSV-max-lines <num>
              Limit the number of CSV-formatted lines that psad  generates  on
              STDOUT.   This is useful to allow AfterGlow graphs to be created
              that are not too cluttered.

       --CSV-start-line <num>
              Specify the beginning line number to start parsing  out  of  the
              iptables log file in --CSV output mode.  This is useful for when
              the log file is extremely large, and you want to begin parsing a
              specific place within the file.  The default is begin parsing at
              the beginning of the file.

       --CSV-end-line <num>
              Specify the ending line number to stop parsing the iptables  log
              file in --CSV output mode.  This is useful for when the log file
              is extremely large, and you do not  want  psad  to  process  the
              entire thing.

              Enter  into Gnuplot mode whereby psad parses an iptables logfile
              and creates .gnu and .dat files that are suitable  for  graphing
              with Gnuplot.  The various --CSV command line arguments apply to
              plotting iptables log with Gnuplot.

       --gnuplot-template <file>
              Use a template file for all Gnuplot graphing directives (this is
              usually a .gnu file by convention).  Normally psad builds all of
              the graphing directives based on various --gnuplot command  line
              arguments,  but  the  --gnuplot-template  switch  allows  you to
              override this behavior.

       --gnuplot-file-prefix <file>
              Specify a prefix for the .gnu, .dat, and  .png  files  that  are
              generated  in  --gnuplot  mode.   So,  when  visualizing attacks
              captured in an iptables logfile (let's say you are interested in
              port  scans),  you could use this option to have psad create the
              two files portscan.dat, portscan.gnu, and Gnuplot will create an
              additional  file  portscan.png  when  the  portscan.gnu  file is

       --gnuplot-x-label <label>
              Set the label associated with the x-axis.

       --gnuplot-x-range <range>
              Set the x-axis range.

       --gnuplot-y-label <label>
              Set the label associated with the y-axis.

       --gnuplot-y-range <range>
              Set the y-axis range.

       --gnuplot-z-label <label>
              Set the label associated with the z-axis (only  if  --gnuplot-3D
              is used).

       --gnuplot-z-range <range>
              Set the z-axis range. (only if --gnuplot-3D is used).

              Generate   a  Gnuplot  splot  graph.   This  produces  a  three-
              dimensional graph.

              Set the viewing angle when graphing data in --gnuplot-3D mode.

       --gnuplot-title <title>
              Set the graph title for the Gnuplot graph.

       -I, --Interval <seconds>
              Specify the interval (in seconds) that psad should use to  check
              whether  or  not packets have been logged by the firewall.  psad
              will use the default of 15 seconds unless a different  value  is

       -l, --log-server
              This option should be used if psad is being executed on a syslog
              logging server.  Running psad on a logging server requires  that
              check_firewall_rules()  and auto_psad_response() not be executed
              since the firewall is probably not being run locally.

       -V, --Version
              Print the psad version and exit.

              Do not run psad as a daemon.   This  option  will  display  scan
              alerts on STDOUT instead of emailing them out.

              Occasionally    iptables   messages   written   by   syslog   to
              /var/lib/psad/psadfifo or to /var/log/messages do not conform to
              the  normal  firewall  logging  format if the kernel ring buffer
              used by klogd becomes full.  psad will write  these  message  to
              /var/log/psad/errs/fwerrorlog by default.  Passing the --no-ipt-
              errors option will make psad ignore all such erroneous  firewall

              By  default  psad  will  issue a whois query against any IP from
              which a scan has originated, but this can be disabled  with  the
              --no-whois command line argument.

              psad  performs  a rudimentary check of the firewall ruleset that
              exists on the machine on which psad  is  deployed  to  determine
              whether or not the firewall has a compatible configuration (i.e.
              iptables has been configured to log packets).  Passing the --no-
              fwcheck or --log-server options will disable this check.

              Disable  auto  danger  level assignments.  This will instruct to
              not  import  any  IP  addresses  or  networks  from   the   file

              Disable  snort  sid processing mode.  This will instruct psad to
              not import snort rules (for  snort  SID  matching  in  a  policy
              generated by fwsnort ).

              Disable   psad   signature   processing.    Note  that  this  is
              independent of snort SID matching in iptables messages generated
              by fwsnort and also from the ICMP type/code validation routines.

              Disable ICMP type and code field validation.

              By  default psad will attempt to passively (i.e. without sending
              any packets) fingerprint the remote operating system from  which
              a  scan  originates.   Passing  the  --no-passive-os option will
              disable this feature.

              psad normally attempts  to  find  the  name  associated  with  a
              scanning  IP  address, but this feature can be disabled with the
              --no-rdns command line argument.

              Disable startup of kmsgsd.   This  option  is  most  useful  for
              debugging with individual iptables messages so that new messages
              are not appended to the /var/log/psad/fwdata file.

              By default for iptables firewalls psad will determine whether or
              not  your  machine  is  listening  on  a  port  for  which a TCP
              signature has been matched.   Specifying  --no-netstat  disables
              this feature.

       -h, --help
              Print a page of usage information for psad and exit.


              The  main  psad  configuration file which contains configuration
              variables mentioned in the section below.

              Used to configure the strategy both psad and  kmsgsd  employ  to
              parse  iptables  messages.  Using configuration directive within
              this file, psad can be configured to parse all iptables messages
              or  only  those  that match specific log prefix strings (see the
              --log-prefix option to iptables).

              Contains the signatures psad uses to  recognize  nasty  traffic.
              The  signatures  are  written  in  a  manner similar to the *lib
              signature files used in the snort IDS.

              Contains all valid ICMP types and corresponding codes as defined
              by  RFC  792.   By  default,  ICMP packets are validated against
              these values and an alert will be generated  if  a  non-matching
              ICMP packet is logged by iptables.

              Snort rules files that are consulted by default unless the --no-
              snort-sids commmand line argument is given.

              Contains a listing of any IP addresses that should be assigned a
              danger  level  based  on  any  traffic  that  is  logged  by the
              firewall.  The syntax is "<IP  address>  <danger  level>"  where
              <danger  level>  is  an  integer  from 0 to 5, with 0 meaning to
              ignore all traffic from <IP address>, and 5  is  to  assign  the
              highest danger level to <IP address>.

              Contains   a   listing   of   all   passive   operating   system
              fingerprinting  signatures.   These  signatures  include  packet
              lengths,  ttl,  tos,  IP ID, and TCP window size values that are
              specific to various operating systems.


       This  section  describes  what  each  of  the   more   important   psad
       configuration  variables  do  and  how  they  can be tuned to meet your
       needs.  Most of the variables are located  in  the  psad  configuration
       file   /etc/psad/psad.conf  but  the  FW_SEARCH_ALL  and  FW_MSG_SEARCH
       variables are  located  in  the  file  /etc/psad/fw_search.conf.   Each
       variable  is  assigned sensible defaults for most network architectures
       during the install process.  More information on psad  config  keywords
       may be found at:

              Contains  a  comma-separated  list  of  email addresses to which
              email alerts will be sent.  The default is "root@localhost".

              Defines the hostname of the machine on which  psad  is  running.
              This will be used in the email alerts generated by psad.

              Define  the  internal network(s) that are connected to the local
              system.  This will be used in the  signature  matching  code  to
              determine  whether traffic matches snort rules, which invariably
              contain a source and destination network.  Multiple networks are
              supported  as a comma separated list, and each network should be
              specified in CIDR notation.  Normally the  network(s)  contained
              in  the  HOME_NET  variable  should be directly connected to the
              machine that is running psad.

              Preserve scan data  across  restarts  of  psad  or  even  across
              reboots  of  the machine.  This is accomplished by importing the
              data contained in the filesystem cache  psad  writes  to  during
              normal  operation  back  into  memory  as  psad is started.  The
              filesystem  cache  data  in  contained  within   the   directory

              Defines  the  search  mode psad uses to parse iptables messages.
              By default FW_SEARCH_ALL is  set  to  "Y"  since  normally  most
              people  want  all  iptables  log  messages to be parsed for scan
              activity.  However, if FW_SEARCH_ALL is set to  "N",  psad  will
              only parse those iptables log messages that match certain search
              strings that appear  in  iptables  logs  with  the  --log-prefix
              option.   This is useful for restricting psad to only operate on
              specific iptables chains or rules.  The  strings  that  will  be
              searched  for  are  defined with the FW_MSG_SEARCH variable (see
              below).  The FW_SEARCH_ALL  variable  is  defined  in  the  file
              /etc/psad/fw_search.conf since it is referenced by both psad and

              Defines a set of search  strings  that  psad  uses  to  identify
              iptables  messages  that  should  be  parsed  for scan activity.
              These  search  strings  should  match  the  log  prefix  strings
              specified  in the iptables ruleset with the --log-prefix option,
              and the default value for FW_MSG_SEARCH is  "DROP".   Note  that
              psad   normally   parses  all  iptables  messages,  and  so  the
              FW_MSG_SEARCH variable is  only  needed  if  FW_SEARCH_ALL  (see
              above)  is set to "N".  The FW_MSG_SEARCH variable is referenced
              by  both  psad  and   kmsgsd   so   it   lives   in   the   file

              Define  the  specific  syslog  daemon that psad should interface
              with.  Psad supports three syslog daemons:  syslogd,  syslog-ng,
              and metalog.  The default value of SYSLOG_DAEMON is syslogd.

              Specify  a  list  of  port  ranges  and/or  individual ports and
              corresponding protocols that psad should complete ignore.   This
              is  particularly useful for ignore ports that are used as a part
              of    a    port    knocking    scheme    (such     as     fwknop
      for  network  authentication
              since such log messages generated  by  the  knock  sequence  may
              otherwise  be interpreted as a scan.  Multiple ports and/or port
              ranges  may  be  specified  as  a  comma-separated  list,   e.g.
              "tcp/22, tcp/61000-61356, udp/53".

              If  "Y",  psad  will  keep  all scans in memory and not let them
              timeout.   This  can  help  discover  stealthy  scans  where  an
              attacker tries to slip beneath IDS thresholds by only scanning a
              few ports over a long period of time.  ENABLE_PERSISTENCE is set
              to "Y" by default.

              If ENABLE_PERSISTENCE is "N" then psad will use the value set by
              SCAN_TIMEOUT  to  remove  packets  from   the   scan   threshold
              calculation.  The default is 3600 seconds (1 hour).

              psad uses a scoring system to keep track of the severity a scans
              reaches (represented  as  a  "danger  level")  over  time.   The
              DANGER_LEVEL{n} variables define the number of packets that must
              be  dropped  by  the  firewall  before  psad  will  assign   the
              respective  danger  level  to  the  scan.   A  scan  may also be
              assigned a  danger  level  if  the  scan  matches  a  particular
              signature  contained  in  the  signatures  file.  There are five
              possible danger levels with one being the lowest  and  five  the
              highest.   Note there are several factors that can influence how
              danger levels are calculated: whether or not a  scan  matches  a
              signature   listed   in   /etc/psad/signatures,   the  value  of
              PORT_RANGE_SCAN_THRESHOLD (see below), whether  or  not  a  scan
              comes  from  an IP that is listed in the /etc/psad/auto_dl file,
              and finally whether or not  scans  are  allowed  to  timeout  as
              determined  by SCAN_TIMEOUT above.  If a signature is matched or
              the  scanning  IP  is  listed  in  /etc/psad/auto_dl,  then  the
              corresponding  danger  level  is  automatically  assigned to the

              Defines the minimum difference between the lowest port  and  the
              highest  port  scanned before an alert is sent (the default is 1
              which means that at least two ports must be scanned to  generate
              an alert).  For example, suppose an ip repeatedly scans a single
              port for which there is  no  special  signature  in  signatures.
              Then  if  PORT_RANGE_SCAN_THRESHOLD=1,  psad  will never send an
              alert for this "scan" no matter how many packets are sent to the
              port  (i.e.  no matter what the value of DANGER_LEVEL1 is).  The
              reason for the default of 1 is that a "scan" usually means  that
              at  least two ports are probed, but if you want psad to be extra
              paranoid you can set  PORT_RANGE_SCAN_THRESHOLD=0  to  alert  on
              scans  to  single  ports  (as long as the number of packets also
              exceeds DANGER_LEVEL1).

              If "Y", psad will display all signatures detected from a  single
              scanning  IP  since  a  scan  was first detected instead of just
              displaying newly-detected  signatures.   SHOW_ALL_SIGNATURES  is
              set  to  "N"  by default.  All signatures are listed in the file

              Defines the string  kmsgsd  will  search  for  in  iptables  log
              messages that are generated by iptables rules designed to detect
              snort   rules.    The   default   is   "SID".     See    fwsnort

              Enable  dshield  alerting mode.  This will send a parsed version
              of iptables log  messages  to  which  is  a  (free)
              distributed  intrusion detection service.  For more information,

              If "Y", all TCP packets that have the ACK or RST flag  bits  set
              will  be ignored by psad since usually we see such packets being
              blocked as a result of the  iptables  connection  tracking  bug.
              Note  there  are no signatures that make use of the RST flag and
              very few that use ACK flag.

              If "Y", send email for all new bad packets instead of just  when
              a danger level increases.  ALERT_ALL is set to "Y" by default.

              Defines  the  maximum  number  of emails that will be sent for a
              single scanning IP (default is 50).   This  variable  gives  you
              some  protection  from  psad  sending  countless alerts if an IP
              scans your machine constantly.  psad will send a  special  alert
              if  an  IP has exceeded the email limit.  If PSAD_EMAIL_LIMIT is
              set to zero, then psad will ignore  the  limit  and  send  alert
              emails indefinitely for any scanning ip.

              Defines  the  danger level a scan must reach before any alert is
              sent.  This variable is set to 1 by default.

              psad has the capability of dynamically blocking all traffic from
              an  IP  that  has  reached a (configurable) danger level through
              modification of iptables  or  tcpwrapper  rulesets.   IMPORTANT:
              This  feature is disabled by default since it is possible for an
              attacker to spoof packets from a  well  known  (web)site  in  an
              effort  to  make  it  look  as  though the site is scanning your
              machine, and then psad will consequently block all access to it.
              Also,  psad  works  by parsing firewall messages for packets the
              firewall has already dropped, so the  "scans"  are  unsuccessful
              anyway.   However,  some administrators prefer to take this risk
              anyway reasoning that they can always  review  which  sites  are
              being  blocked  and  manually remove the block if necessary (see
              the --Flush option).  Your mileage will vary.

              Defines the danger level a scan  must  reach  before  psad  will
              automatically block the IP (ENABLE_AUTO_IDS must be set to "Y").


       The following examples illustrate the command line arguments that could
       be supplied to psad in a few situations:

       Signature checking, passive OS fingerprinting, and automatic IP  danger
       level  assignments are enabled by default without having to specify any
       command line arguments (best for most situations):

       # psad

       Same as above, but this time we use the init script to start psad:

       # /etc/init.d/psad start

       Use psad as a forensics tool to analyze an old iptables  logfile  (psad
       defaults  to  analyzing  the /var/log/messages file if the -m option is
       not specified):

       # psad -A -m <iptables logfile>

       Run psad in forensics mode, but limit its operations to a  specific  IP
       address "":

       # psad -A -m <iptables logfile> --analysis-fields src:

       Generate graphs of scan data using AfterGlow:

       #  psad  --CSV  --CSV-fields  src  dst  dp  --CSV-max 1000 -m <iptables
       logfile> | perl  -c  |  neato  -Tgif  -o

       The  psad.conf,  signatures,  and  auto_dl  files  are normally located
       within the /etc/psad/ directory, but the paths to each of  these  files
       can be changed:

       # psad -c <config file> -s <signatures file> -a <auto ips file>

       Disable  the firewall check and the local port lookup subroutines; most
       useful if psad is deployed on a syslog logging server:

       # psad --log-server --no-netstat

       Disable reverse dns and whois lookups of scanning  IP  addresses;  most
       useful if speed of psad is the main concern:

       # psad --no-rdns --no-whois


       psad  requires that iptables is configured with a "drop and log" policy
       for any traffic that  is  not  explicitly  allowed  through.   This  is
       consistent  with  a secure network configuration since all traffic that
       has not been explicitly allowed  should  be  blocked  by  the  firewall
       ruleset.   By  default,  psad  attempts to determine whether or not the
       firewall has been configured in this way.  This feature can be disabled
       with the --no-fwcheck or --log-server options.  The --log-server option
       is useful if psad is  running  on  a  syslog  logging  server  that  is
       separate  from  the  firewall.   For  more  information  on  compatible
       iptables rulesets, see the FW_EXAMPLE_RULES file that is  bundled  with
       the psad source distribution.

       psad  also  requires  that  syslog be configured to write all
       messages to the named pipe /var/lib/psad/psadfifo.  A simple

              echo -e ' |/var/lib/psad/psadfifo' >> /etc/syslog.conf

       will do.  Remember also to restart syslog after  the  changes  to  this


       The --debug option can be used to display crucial information about the
       psad data structures  on  STDOUT  as  a  scan  generates  firewall  log
       messages.  --debug disables daemon mode execution.

       Another  more  effective way to peer into the runtime execution of psad
       is to send (as root) a USR1 signal to the psad process which will cause
       psad    to    dump    the    contents    of    the    %Scan   hash   to
       /var/log/psad/scan_hash.$$ where $$ represents  the  pid  of  the  psad


       iptables(8),  kmsgsd(8),  psadwatchd(8), fwsnort(8), snort(8), nmap(1),
       p0f(1), gnuplot(1)


       Michael Rash <>


       Many  people  who  are  active  in  the  open  source  community   have
       contributed  to  psad.   See  the  CREDITS file in the psad sources, or
       visit to view the
       online list of contributors.


       Send  bug  reports  to  Suggestions and/or comments
       are always welcome as well.

       For iptables firewalls as  of  Linux  kernel  version  2.4.26,  if  the
       ip_conntrack  module  is  loaded  (or compiled into the kernel) and the
       firewall has been configured to keep state of connections, occasionally
       packets  that are supposed to be part of normal TCP traffic will not be
       correctly identified due to a bug in the firewall  state  timeouts  and
       hence dropped.  Such packets will then be interpreted as a scan by psad
       even though they are not part of any malicious activity.   Fortunately,
       an   interim   fix   for   this   problem   is  to  simply  extend  the
       TCP_CONNTRACK_CLOSE_WAIT           timeout           value           in
       linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c  from 60 seconds to 2
       minutes, and a set of kernel patches is included  within  the  patches/
       directory  in  the  psad  sources  to  change this.  (Requires a kernel
       recompile of course; see  the  Kernel-HOWTO.)   Also,  by  default  the
       IGNORE_CONNTRACK_BUG_PKTS  variable  is  set  to "Y" in psad.conf which
       causes psad to ignore all TCP packets that have the ACK bit set  unless
       the packets match a specific signature.


       psad is distributed under the GNU General Public License (GPL), and the
       latest version may be downloaded from: Snort
       is a registered trademark of Sourcefire, Inc.