Provided by: psad_2.4.3-1.2_amd64 bug

NAME

       psad - The Port Scan Attack Detector

SYNOPSIS

       psad [options]

DESCRIPTION

       psad  makes  use  of  iptables  log messages to detect, alert, and (optionally) block port
       scans and other suspect traffic.  For TCP scans psad analyzes TCP flags to  determine  the
       scan  type  (syn,  fin,  xmas,  etc.) and corresponding command line options that could be
       supplied to nmap to generate such a scan.  In addition, psad makes use of many  TCP,  UDP,
       and   ICMP   signatures  contained  within  the  Snort  intrusion  detection  system  (see
       http://www.snort.org/) to detect suspicious network traffic  such  as  probes  for  common
       backdoors,  DDoS  tools,  OS  fingerprinting  attempts,  and  more.   By default psad also
       provides alerts for snort rules that are detected directly by iptables through the use  of
       a ruleset generated by fwsnort (http://www.cipherdyne.org/fwsnort/).  This enables psad to
       send alerts for application layer attacks.  psad features a  set  of  highly  configurable
       danger thresholds (with sensible defaults provided) that allow the administrator to define
       what constitutes a port scan or other suspect traffic.  Email alerts sent by psad  contain
       the  scanning  ip,  number  of packets sent to each port, any TCP, UDP, or ICMP signatures
       that have been matched (e.g. "NMAP XMAS scan"), the scanned port range, the current danger
       level  (from  1  to  5),  reverse dns info, and whois information.  psad also makes use of
       various packet header fields associated with TCP  SYN  packets  to  passively  fingerprint
       remote  operating  systems (in a manner similar to the p0f fingerprinter) from which scans
       originate.  This requires the use of the --log-tcp-options argument for  iptables  logging
       rules;  if  this  option  is not used, psad will fall back to a fingerprinting method that
       makes use of packet length, TTL and TOS values, IP ID, and TCP window sizes.

       psad reads all iptables log data by default from the /var/log/messages file.   By  parsing
       firewall  log  messages, psad is provided with data that represents packets that have been
       logged (and possibly dropped) by the running iptables policy.   In  this  sense,  psad  is
       supplied  with  a pure data stream that exclusively contains packets that the firewall has
       deemed unfit to enter the network.  psad consists of  three  daemons:  psad,  kmsgsd,  and
       psadwatchd.   psad  is responsible for processing all packets that have been logged by the
       firewall and applying the signature logic in order to determine what type of scan has been
       leveraged against the machine and/or network.  kmsgsd (deprecated) reads all messages that
       have been written to the /var/lib/psad/psadfifo named pipe and  writes  any  message  that
       matches  a  particular  regular expression (or string) to /var/log/psad/fwdata.  kmsgsd is
       only used if the ENABLE_SYSLOG_FILE variable is disabled in psad.conf.   psadwatchd  is  a
       software  watchdog  that will restart any of the other two daemons should a daemon die for
       any reason.

OPTIONS

       -A, --Analyze-msgs
              Analyze an iptables logfile for scans and exit.  This will  generate  email  alerts
              just  as a normal running psad process would have for all logged scans.  By default
              the psad data file /var/log/psad/fwdata is parsed for old scans, but any  file  can
              be  specified  through  the  use  of  the --messages-file command line option.  For
              example it might be useful to point psad at your /var/log/messages file.

       --analysis-fields <search fields>
              In --Analyze mode restrict analysis to iptables log  messages  that  have  specific
              values  for  particular  fields.  Examples include "SRC:1.2.3.4", "DST:10.0.0.0/24,
              and "TTL:64", and multiple fields are supported  as  a  comma-separated  list  like
              "SRC:1.2.3.4, LEN:44, DST:10.0.0.0/24".

       -i, --interface <interface>
              Specify  the  interface  that  psad  will  examine for iptables log messages.  This
              interface will be the IN= interface for packets that are logged in  the  INPUT  and
              FORWARD chains, and the OUT= interface for packets logged in the OUTPUT chain.

       --sig-update
              Instruct  psad  to  download  the  latest  set  of  modified  Snort signatures from
              http://www.cipherdyne.org/psad/signatures  so  that  psad  can  take  advantage  of
              signature updates before a new release is made.

       -O, --Override-config <file>
              Override config variable values that are normally read from the /etc/psad/psad.conf
              file with values from the specified file.  Multiple override config  files  can  be
              given as a comma separated list.

       -D, --Dump-conf
              Dump  the  current  psad  config to STDOUT and exit.  Various pieces of information
              such as the home network, alert email addresses, and DShield user  id  are  removed
              from the resulting output so it is safe to send to others.

       -F, --Flush
              Remove   any  auto-generated  firewall  block  rules  if  psad  was  configured  to
              automatically respond to scans (see the ENABLE_AUTO_IDS variable in psad.conf).

       -S, --Status
              Display the status of any psad processes that may or not be  running.   The  status
              output  contains  a  listing  of  the number of packets that have been processed by
              psad, along with all IP addresses and corresponding danger levels that have scanned
              the network.

       --status-ip <ip>
              Display  status information associated with ip such as the protocol packet counters
              as well as the last 10 packets logged by iptables.

       --status-dl <dl>
              Display status information only for scans that have reached a danger  level  of  at
              least dl

       --status-summary
              Instruct psad to omit detailed IP information from --Status and --Analyze modes.

       -m, --messages-file <file>
              This  option  is used to specify the file that will be parsed in analysis mode (see
              the  --Analyze-msgs  option).   The  default   path   is   the   psad   data   file
              /var/log/psad/fwdata.

       --CSV  Instruct  psad to parse iptables log messages out of /var/log/messages (by default,
              but this path can be changed with the -m option), and print the  packet  fields  on
              STDOUT  in  comma-separate  value format.  This is useful for graphing iptables log
              data with AfterGlow (see http://afterglow.sourceforge.net/index.html).

       --stdin
              Acquire iptables log data from STDIN instead of the default /var/log/messages file.

       --CSV-fields <tokens>
              Instruct psad to only include a specific set of iptables log message fields  within
              the  CSV  output.   AfterGlow accepts up to three fields for its graph data, so the
              most common usage of  this  option  is  "src  dst  dp"  to  print  the  source  and
              destination IP addresses, and the destination port number.

       -K, --Kill
              Kill  the  current  psad process along with psadwatchd and kmsgsd.  This provides a
              quick and easy way to kill all psad processes without having to look in the process
              table or appeal to the psad-init script.

       -R, --Restart
              Restart  the  currently  running  psad  processes.   This  option will preserve the
              command line options that were supplied to the original psad process.

       -U, --USR1
              Send a running psad process a USR1 signal.   This  will  cause  psad  to  dump  the
              contents  of  the  %Scan  hash  to the file "/var/log/psad/scan_hash.$$" where "$$"
              represents the pid of the psad  process.   This  is  mostly  useful  for  debugging
              purposes,  but  it also allows the administrator to peer into the %Scan hash, which
              is the primary data structure used to store scan data within system memory.

       -H, --HUP
              Send all running psad daemons a HUP signal.  This will instruct the daemons to  re-
              read  their  respective configuration files without causing scan data to be lost in
              the process.

       -B, --Benchmark
              Run psad in benchmark mode.  By default benchmark mode  will  simulate  a  scan  of
              10,000  packets  (see the --packets option) and then report the elapsed time.  This
              is useful to see how fast psad can process packets on a specific machine.

       -p, --packets <packets>
              Specify the number of packets to analyze in --Analyze mode or  use  in  --Benchmark
              mode.   The  default  is  10,000  packets  in  --Benchmark  mode,  and unlimited in
              --Analyze mode.

       -d, --debug
              Run psad in debugging mode.  This will automatically prevent psad from running as a
              daemon,  and  will  print  the contents of the %Scan hash and a few other things on
              STDOUT at crucial points as psad executes.

       -c, --config <configuration-file>
              By default all of the psad makes use of the configuration file  /etc/psad/psad.conf
              for almost all configuration parameters.  psad can be made to override this path by
              specifying a different file on the command line with the --config option.

       --signatures <signatures-file>
              The iptables firewalling code included within the linux 2.4.x kernel series has the
              ability to distinguish and log any of the TCP flags present within TCP packets that
              traverse the firewall interfaces.  psad makes use of  this  logging  capability  to
              detect  several  types of TCP scan signatures included within /etc/psad/signatures.
              The signatures were  originally  included  within  the  snort  intrusion  detection
              system.   New  signatures  can be included and modifications to existing signatures
              can be made to the signature file and psad will import the changes upon receiving a
              HUP  signal  (see the --HUP command line option) without having to restart the psad
              process.  psad also detects many UDP  and  ICMP  signatures  that  were  originally
              included within snort.

       -e, --email-analysis
              Send  alert  emails  when run in --Analyze-msgs mode.  Depending on the size of the
              iptables logfile, using the --email-analysis option could  extend  the  runtime  of
              psad  by  quite  a  bit  since  normally  both DNS and whois lookups will be issued
              against each scanning IP address.  As usual these lookups can be disabled with  the
              --no-rdns and --no-whois options respectively.

       -w, --whois-analysis
              By  default  psad does not issue whois lookups when running in --Analyze-msgs mode.
              The --whois-analysis option will override this behavior (when run in analysis mode)
              and  instruct  psad to issue whois lookups against IP addresses from which scans or
              other suspect traffic has originated.

       --analysis-auto-block
              Enable auto-blocking responses when running in --Analyze-msgs mode.  This is mostly
              useful  only  for  the  psad test suite when auto-blocking responses are tested and
              verified.

       --snort-type <type>
              Restrict the type of snort sids to type.  Allowed types match the file names  given
              to snort rules files such as "ddos", "backdoor", and "web-attacks".

       --snort-rdir <snort-rules-directory>
              Manually  specify  the  directory  where  the  snort  rules files are located.  The
              default is /etc/psad/snort_rules.

       --passive-os-sigs <passive-os-sigs-file>
              Manually specify the path to the passive operating system fingerprinting signatures
              file.  The default is /etc/psad/posf.

       --auto-dl <auto-dl-file>
              Occasionally  certain IP addresses are repeat offenders and should automatically be
              given a higher danger level than would normally be assigned.  Additionally, some IP
              addresses  can  always  be  ignored  depending  on  your network configuration (the
              loopback  interface  127.0.0.1  might   be   a   good   candidate   for   example).
              /etc/psad/auto_dl    provides    an    interface    for   psad   to   automatically
              increase/decrease/ignore scanning IP danger levels.  Modifications can be  made  to
              auto_dl  (installed  by  default in /etc/psad) and psad will import them with 'psad
              -H' or by restarting the psad process.

       --fw-search <fw_search-file>
              By default all of the psad makes use of  the  firewall  search  configuration  file
              /etc/psad/fw_search.conf  for firewall search mode and search strings.  psad can be
              made to override this path by specifying a different file on the command line  with
              the --fw-search option.

       --fw-list-auto
              List all rules in iptables chains that are used by psad in auto-blocking mode.

       --fw-analyze
              Analyze  the  local iptables ruleset, send any alerts if errors are discovered, and
              then exit.

       --fw-del-chains
              By default, if ENABLE_AUTO_IDS is set  to  "Y"  psad  will  not  delete  the  auto-
              generated  iptables  chains  (see  the IPT_AUTO_CHAIN keywords in psad.conf) if the
              --Flush option is given.  The --fw-del-chains option overrides  this  behavior  and
              deletes the auto-blocking chains from a running iptables firewall.

       --fw-dump
              Instruct  psad  to  dump the contents of the iptables policy that is running on the
              local system.  All IP addresses are removed from the resulting  output,  so  it  is
              safe to post to the psad list, or communicate to others.  This option is most often
              used with --Dump-conf.

       --fw-block-ip <ip>
              Specify an IP address or network to add to the iptables  controls  that  are  auto-
              generated by psad.  This allows psad to manage the rule timeouts.

       --fw-rm-block-ip <ip>
              Specify  an  IP  address  or  network to remove from the iptables controls that are
              auto-generated by psad.

       --fw-file <policy-file>
              Analyze the iptables ruleset contained within policy-file instead  of  the  ruleset
              currently loaded on the local system.

       --CSV-regex <regex>
              Instruct  psad  to only print CSV data that matches the supplied regex.  This regex
              is used to match against each of the entire iptables log messages.

       --CSV-neg-regex <regex>
              Instruct psad to only print CSV data that does not match the supplied regex.   This
              regex is used to negatively match against each of the entire iptables log messages.

       --CSV-uniq-lines
              Instruct  psad  to only print unique CSV data.  That is, each line printed in --CSV
              mode will be unique.

       --CSV-max-lines <num>
              Limit the number of CSV-formatted lines that psad generates  on  STDOUT.   This  is
              useful to allow AfterGlow graphs to be created that are not too cluttered.

       --CSV-start-line <num>
              Specify  the beginning line number to start parsing out of the iptables log file in
              --CSV output mode.  This is useful for when the log file is  extremely  large,  and
              you  want  to begin parsing a specific place within the file.  The default is begin
              parsing at the beginning of the file.

       --CSV-end-line <num>
              Specify the ending line number to stop parsing  the  iptables  log  file  in  --CSV
              output  mode.   This is useful for when the log file is extremely large, and you do
              not want psad to process the entire thing.

       --gnuplot
              Enter into Gnuplot mode whereby psad parses an iptables logfile  and  creates  .gnu
              and  .dat  files  that  are  suitable for graphing with Gnuplot.  The various --CSV
              command line arguments apply to plotting iptables log with Gnuplot.

       --gnuplot-template <file>
              Use a template file for all Gnuplot graphing directives (this  is  usually  a  .gnu
              file  by convention).  Normally psad builds all of the graphing directives based on
              various --gnuplot command line arguments, but the --gnuplot-template switch  allows
              you to override this behavior.

       --gnuplot-file-prefix <file>
              Specify a prefix for the .gnu, .dat, and .png files that are generated in --gnuplot
              mode.  So, when visualizing attacks captured in an iptables logfile (let's say  you
              are  interested  in  port scans), you could use this option to have psad create the
              two files portscan.dat, portscan.gnu, and Gnuplot will create  an  additional  file
              portscan.png when the portscan.gnu file is loaded.

       --gnuplot-x-label <label>
              Set the label associated with the x-axis.

       --gnuplot-x-range <range>
              Set the x-axis range.

       --gnuplot-y-label <label>
              Set the label associated with the y-axis.

       --gnuplot-y-range <range>
              Set the y-axis range.

       --gnuplot-z-label <label>
              Set the label associated with the z-axis (only if --gnuplot-3D is used).

       --gnuplot-z-range <range>
              Set the z-axis range. (only if --gnuplot-3D is used).

       --gnuplot-3D
              Generate a Gnuplot splot graph.  This produces a three-dimensional graph.

       --gnuplot-view
              Set the viewing angle when graphing data in --gnuplot-3D mode.

       --gnuplot-title <title>
              Set the graph title for the Gnuplot graph.

       -I, --Interval <seconds>
              Specify  the  interval  (in  seconds)  that psad should use to check whether or not
              packets have been logged by the firewall.  psad will use the default of 15  seconds
              unless a different value is specified.

       -l, --log-server
              This  option  should  be used if psad is being executed on a syslog logging server.
              Running  psad  on  a  logging  server  requires  that  check_firewall_rules()   and
              auto_psad_response()  not  be executed since the firewall is probably not being run
              locally.

       -V, --Version
              Print the psad version and exit.

       --no-daemon
              Do not run psad as a daemon.  This  option  will  display  scan  alerts  on  STDOUT
              instead of emailing them out.

       --no-ipt-errors
              Occasionally  iptables  messages written by syslog to /var/log/messages seem to not
              conform to the normal firewall logging format if the kernel  ring  buffer  used  by
              klogd becomes full.  psad will write these message to /var/log/psad/errs/fwerrorlog
              by default.  Passing the --no-ipt-errors option will  make  psad  ignore  all  such
              erroneous firewall messages.

       --no-whois
              By  default  psad  will  issue  a  whois query against any IP from which a scan has
              originated, but this can be disabled with the --no-whois command line argument.

       --no-fwcheck
              psad performs a rudimentary check of  the  firewall  ruleset  that  exists  on  the
              machine  on  which  psad is deployed to determine whether or not the firewall has a
              compatible configuration (i.e.  iptables  has  been  configured  to  log  packets).
              Passing the --no-fwcheck or --log-server options will disable this check.

       --no-auto-dl
              Disable  auto  danger  level  assignments.  This will instruct to not import any IP
              addresses or networks from the file /etc/psad/auto_dl.

       --no-snort-sids
              Disable snort sid processing mode.  This will instruct psad  to  not  import  snort
              rules (for snort SID matching in a policy generated by fwsnort ).

       --no-signatures
              Disable  psad  signature  processing.   Note  that this is independent of snort SID
              matching in iptables messages generated by fwsnort and also from the ICMP type/code
              validation routines.

       --no-icmp-types
              Disable ICMP type and code field validation.

       --no-passive-os
              By  default  psad  will  attempt  to  passively  (i.e. without sending any packets)
              fingerprint the remote operating system from which a scan originates.  Passing  the
              --no-passive-os option will disable this feature.

       --no-rdns
              psad  normally attempts to find the name associated with a scanning IP address, but
              this feature can be disabled with the --no-rdns command line argument.

       --no-kmsgsd
              Disable startup  of  kmsgsd.   This  option  is  most  useful  for  debugging  with
              individual  iptables  messages  so  that  new  messages  are  not  appended  to the
              /var/log/psad/fwdata file.

       --no-netstat
              By default for iptables firewalls psad will determine whether or not  your  machine
              is  listening  on  a  port  for which a TCP signature has been matched.  Specifying
              --no-netstat disables this feature.

       -h, --help
              Print a page of usage information for psad and exit.

FILES

       /etc/psad/psad.conf
              The main psad configuration file which contains configuration  variables  mentioned
              in the section below.

       /etc/psad/fw_search.conf
              Used  to  configure  the  strategy  both  psad  and kmsgsd employ to parse iptables
              messages.  Using configuration directive within this file, psad can  be  configured
              to parse all iptables messages or only those that match specific log prefix strings
              (see the --log-prefix option to iptables).

       /etc/psad/signatures
              Contains the signatures psad uses to recognize nasty traffic.  The  signatures  are
              written in a manner similar to the *lib signature files used in the snort IDS.

       /etc/psad/icmp_types
              Contains  all  valid  ICMP types and corresponding codes as defined by RFC 792.  By
              default, ICMP packets are validated against these  values  and  an  alert  will  be
              generated if a non-matching ICMP packet is logged by iptables.

       /etc/psad/snort_rules/*.rules
              Snort  rules files that are consulted by default unless the --no-snort-sids command
              line argument is given.

       /etc/psad/auto_dl
              Contains a listing of any IP addresses that should be assigned a danger level based
              on any traffic that is logged by the firewall.  The syntax is "<IP address> <danger
              level>" where <danger level> is an integer from 0 to 5, with 0  meaning  to  ignore
              all  traffic  from <IP address>, and 5 is to assign the highest danger level to <IP
              address>.

       /etc/psad/posf
              Contains a listing of  all  passive  operating  system  fingerprinting  signatures.
              These  signatures  include  packet  lengths,  ttl,  tos, IP ID, and TCP window size
              values that are specific to various operating systems.

PSAD CONFIGURATION VARIABLES

       This section describes what each of the more important psad configuration variables do and
       how  they  can be tuned to meet your needs.  Most of the variables are located in the psad
       configuration file /etc/psad/psad.conf but the FW_SEARCH_ALL and  FW_MSG_SEARCH  variables
       are  located  in  the  file  /etc/psad/fw_search.conf.  Each variable is assigned sensible
       defaults for most network architectures during the install process.  More  information  on
       psad config keywords may be found at: http://www.cipherdyne.org/psad/config.html

       EMAIL_ADDRESSES
              Contains  a  comma-separated  list of email addresses to which email alerts will be
              sent.  The default is "root@localhost".

       HOSTNAME
              Defines the hostname of the machine on which psad is running. This will be used  in
              the email alerts generated by psad.

       HOME_NET
              Define  the  internal network(s) that are connected to the local system.  This will
              be used in the signature matching code to determine whether traffic  matches  snort
              rules,  which  invariably  contain  a  source  and  destination  network.  Multiple
              networks are supported as a comma  separated  list,  and  each  network  should  be
              specified  in  CIDR  notation.   Normally  the network(s) contained in the HOME_NET
              variable should be directly connected to the machine that is running psad.

       IMPORT_OLD_SCANS
              Preserve scan data across restarts of psad or even across reboots of  the  machine.
              This  is  accomplished by importing the data contained in the filesystem cache psad
              writes to during normal operation  back  into  memory  as  psad  is  started.   The
              filesystem cache data in contained within the directory /var/log/psad.

       FW_SEARCH_ALL
              Defines  the  search  mode  psad  uses  to  parse  iptables  messages.   By default
              FW_SEARCH_ALL is set to "Y" since  normally  most  people  want  all  iptables  log
              messages  to be parsed for scan activity.  However, if FW_SEARCH_ALL is set to "N",
              psad will only parse those iptables log messages that match certain search  strings
              that  appear  in  iptables  logs  with the --log-prefix option.  This is useful for
              restricting psad to only operate on specific iptables chains or rules.  The strings
              that  will be searched for are defined with the FW_MSG_SEARCH variable (see below).
              The FW_SEARCH_ALL variable is defined in the file /etc/psad/fw_search.conf since it
              is referenced by both psad and kmsgsd.

       FW_MSG_SEARCH
              Defines  a  set of search strings that psad uses to identify iptables messages that
              should be parsed for scan activity.  These search  strings  should  match  the  log
              prefix  strings specified in the iptables ruleset with the --log-prefix option, and
              the default value for FW_MSG_SEARCH is "DROP".  Note that psad normally parses  all
              iptables   messages,   and   so  the  FW_MSG_SEARCH  variable  is  only  needed  if
              FW_SEARCH_ALL (see above) is set to "N".  The FW_MSG_SEARCH variable is  referenced
              by both psad and kmsgsd so it lives in the file /etc/psad/fw_search.conf.

       SYSLOG_DAEMON
              Define  the  specific syslog daemon that psad should interface with.  Psad supports
              three syslog daemons: syslogd,  syslog-ng,  and  metalog.   The  default  value  of
              SYSLOG_DAEMON is syslogd.

       IGNORE_PORTS
              Specify  a  list of port ranges and/or individual ports and corresponding protocols
              that psad should complete ignore.  This is particularly  useful  for  ignore  ports
              that   are   used   as   a   part  of  a  port  knocking  scheme  (such  as  fwknop
              http://www.cipherdyne.org/fwknop/)  for  network  authentication  since  such   log
              messages  generated  by  the knock sequence may otherwise be interpreted as a scan.
              Multiple ports and/or port ranges may be specified as a comma-separated list,  e.g.
              "tcp/22, tcp/61000-61356, udp/53".

       ENABLE_PERSISTENCE
              If "Y", psad will keep all scans in memory and not let them timeout.  This can help
              discover stealthy scans where an attacker tries to slip beneath IDS  thresholds  by
              only scanning a few ports over a long period of time.  ENABLE_PERSISTENCE is set to
              "Y" by default.

       SCAN_TIMEOUT
              If ENABLE_PERSISTENCE is "N" then psad will use the value set  by  SCAN_TIMEOUT  to
              remove packets from the scan threshold calculation.  The default is 3600 seconds (1
              hour).

       DANGER_LEVEL{1,2,3,4,5}
              psad uses a  scoring  system  to  keep  track  of  the  severity  a  scans  reaches
              (represented  as a "danger level") over time.  The DANGER_LEVEL{n} variables define
              the number of packets that must be dropped by the firewall before psad will  assign
              the  respective  danger  level  to  the scan.  A scan may also be assigned a danger
              level if the scan matches a particular signature contained in the signatures  file.
              There  are  five  possible  danger  levels  with  one being the lowest and five the
              highest.  Note there are several factors that can influence how danger  levels  are
              calculated:   whether   or   not   a   scan   matches   a   signature   listed   in
              /etc/psad/signatures, the value of PORT_RANGE_SCAN_THRESHOLD (see  below),  whether
              or  not  a  scan comes from an IP that is listed in the /etc/psad/auto_dl file, and
              finally whether or not scans are allowed to timeout as determined  by  SCAN_TIMEOUT
              above.    If   a   signature   is   matched   or  the  scanning  IP  is  listed  in
              /etc/psad/auto_dl, then the corresponding danger level is automatically assigned to
              the scan.

       PORT_RANGE_SCAN_THRESHOLD
              Defines the minimum difference between the lowest port and the highest port scanned
              before an alert is sent (the default is 1 which means that at least two ports  must
              be  scanned  to  generate an alert).  For example, suppose an ip repeatedly scans a
              single port for which there  is  no  special  signature  in  signatures.   Then  if
              PORT_RANGE_SCAN_THRESHOLD=1,  psad  will  never  send  an  alert for this "scan" no
              matter how many packets are sent to the port (i.e.  no matter  what  the  value  of
              DANGER_LEVEL1  is).  The reason for the default of 1 is that a "scan" usually means
              that at least two ports are probed, but if you want psad to be extra  paranoid  you
              can  set  PORT_RANGE_SCAN_THRESHOLD=0 to alert on scans to single ports (as long as
              the number of packets also exceeds DANGER_LEVEL1).

       SHOW_ALL_SIGNATURES
              If "Y", psad will display all signatures detected from a single scanning IP since a
              scan  was  first  detected  instead  of  just displaying newly-detected signatures.
              SHOW_ALL_SIGNATURES is set to "N" by default.  All signatures  are  listed  in  the
              file /etc/psad/signatures.

       SNORT_SID_STR
              Defines  the  string  kmsgsd  will  search  for  in  iptables log messages that are
              generated by iptables rules designed to detect snort rules.  The default is  "SID".
              See fwsnort (http://www.cipherdyne.org/fwsnort/).

       ENABLE_DSHIELD_ALERTS
              Enable  dshield  alerting  mode.   This  will send a parsed version of iptables log
              messages to dshield.org which is a (free) distributed intrusion detection  service.
              For more information, see http://www.dshield.org/

       IGNORE_CONNTRACK_BUG_PKTS
              If  "Y",  all TCP packets that have the ACK or RST flag bits set will be ignored by
              psad since usually we see such packets being blocked as a result  of  the  iptables
              connection  tracking  bug.   Note  there are no signatures that make use of the RST
              flag and very few that use ACK flag.

       ALERT_ALL
              If "Y", send email for all new bad packets instead of  just  when  a  danger  level
              increases.  ALERT_ALL is set to "Y" by default.

       PSAD_EMAIL_LIMIT
              Defines  the  maximum  number  of emails that will be sent for a single scanning IP
              (default is 50).  This  variable  gives  you  some  protection  from  psad  sending
              countless  alerts if an IP scans your machine constantly.  psad will send a special
              alert if an IP has exceeded the email limit.  If PSAD_EMAIL_LIMIT is set  to  zero,
              then psad will ignore the limit and send alert emails indefinitely for any scanning
              ip.

       EMAIL_ALERT_DANGER_LEVEL
              Defines the danger level a scan must reach before any alert is sent.  This variable
              is set to 1 by default.

       ENABLE_AUTO_IDS
              psad  has  the  capability  of dynamically blocking all traffic from an IP that has
              reached  a  (configurable)  danger  level  through  modification  of  iptables   or
              tcpwrapper  rulesets.   IMPORTANT:  This feature is disabled by default since it is
              possible for an attacker to spoof packets from a well known (web)site in an  effort
              to  make  it  look  as though the site is scanning your machine, and then psad will
              consequently block all access to it.  Also, psad works by parsing firewall messages
              for  packets  the  firewall  has  already  dropped, so the "scans" are unsuccessful
              anyway.  However, some administrators prefer to take  this  risk  anyway  reasoning
              that  they  can always review which sites are being blocked and manually remove the
              block if necessary (see the --Flush option).  Your mileage will vary.

       AUTO_IDS_DANGER_LEVEL
              Defines the danger level a scan must reach before psad will automatically block the
              IP (ENABLE_AUTO_IDS must be set to "Y").

EXAMPLES

       The  following  examples  illustrate  the command line arguments that could be supplied to
       psad in a few situations:

       Signature checking, passive OS fingerprinting, and automatic IP danger  level  assignments
       are enabled by default without having to specify any command line arguments (best for most
       situations):

       # psad

       Same as above, but this time we use the init script to start psad:

       # /etc/init.d/psad start

       Use psad as a forensics tool  to  analyze  an  old  iptables  logfile  (psad  defaults  to
       analyzing the /var/log/messages file if the -m option is not specified):

       # psad -A -m <iptables logfile>

       Run psad in forensics mode, but limit its operations to a specific IP address "10.1.1.1":

       # psad -A -m <iptables logfile> --analysis-fields src:10.1.1.1

       Generate graphs of scan data using AfterGlow:

       #  psad  --CSV  --CSV-fields  src  dst  dp  --CSV-max  1000  -m  <iptables logfile> | perl
       afterglow.pl -c color.properties | neato -Tgif -o iptables_graph.gif

       The psad.conf, signatures, and auto_dl files are normally located  within  the  /etc/psad/
       directory, but the paths to each of these files can be changed:

       # psad -c <config file> -s <signatures file> -a <auto ips file>

       Disable  the  firewall check and the local port lookup subroutines; most useful if psad is
       deployed on a syslog logging server:

       # psad --log-server --no-netstat

       Disable reverse dns and whois lookups of scanning IP addresses; most useful  if  speed  of
       psad is the main concern:

       # psad --no-rdns --no-whois

DEPENDENCIES

       psad  requires  that  iptables  is configured with a "drop and log" policy for any traffic
       that is not explicitly  allowed  through.   This  is  consistent  with  a  secure  network
       configuration  since all traffic that has not been explicitly allowed should be blocked by
       the firewall ruleset.  By default, psad attempts to determine whether or not the  firewall
       has  been  configured  in this way.  This feature can be disabled with the --no-fwcheck or
       --log-server options.  The --log-server option is useful if psad is running  on  a  syslog
       logging  server  that  is  separate from the firewall.  For more information on compatible
       iptables rulesets, see the FW_EXAMPLE_RULES file that is  bundled  with  the  psad  source
       distribution.

       psad by default parses the /var/log/messages file for all iptables log data.

DIAGNOSTICS

       The  --debug  option  can  be  used  to  display  crucial  information about the psad data
       structures on STDOUT as a scan generates firewall log messages.  --debug  disables  daemon
       mode execution.

       Another more effective way to peer into the runtime execution of psad is to send (as root)
       a USR1 signal to the psad process which will cause psad to dump the contents of the  %Scan
       hash to /var/log/psad/scan_hash.$$ where $$ represents the pid of the psad process.

SEE ALSO

       iptables(8), kmsgsd(8), psadwatchd(8), fwsnort(8), snort(8), nmap(1), p0f(1), gnuplot(1)

AUTHOR

       Michael Rash <mbr@cipherdyne.org>

CONTRIBUTORS

       Many people who are active in the open source community have contributed to psad.  See the
       CREDITS       file        in        the        psad        sources,        or        visit
       http://www.cipherdyne.org/psad/docs/contributors.html   to   view   the   online  list  of
       contributors.

BUGS

       Send bug reports to mbr@cipherdyne.org.  Suggestions and/or comments are always welcome as
       well.

       For  iptables  firewalls  as of Linux kernel version 2.4.26, if the ip_conntrack module is
       loaded (or compiled into the kernel) and the firewall has been configured to keep state of
       connections,  occasionally packets that are supposed to be part of normal TCP traffic will
       not be correctly identified due to a bug in the firewall state timeouts and hence dropped.
       Such  packets  will then be interpreted as a scan by psad even though they are not part of
       any malicious activity.  Fortunately, an interim fix for this problem is to simply  extend
       the             TCP_CONNTRACK_CLOSE_WAIT            timeout            value            in
       linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 60 seconds to 2 minutes, and a  set
       of  kernel patches is included within the patches/ directory in the psad sources to change
       this.  (Requires a kernel recompile of course; see the Kernel-HOWTO.)   Also,  by  default
       the  IGNORE_CONNTRACK_BUG_PKTS  variable  is  set to "Y" in psad.conf which causes psad to
       ignore all TCP packets that have the ACK bit set  unless  the  packets  match  a  specific
       signature.

DISTRIBUTION

       psad is distributed under the GNU General Public License (GPL), and the latest version may
       be  downloaded  from:  http://www.cipherdyne.org/  Snort  is  a  registered  trademark  of
       Sourcefire, Inc.