Provided by: psad_2.2.3-1_amd64 
NAME
psad - The Port Scan Attack Detector
SYNOPSIS
psad [options]
DESCRIPTION
psad makes use of iptables log messages to detect, alert, and (optionally) block port
scans and other suspect traffic. For TCP scans psad analyzes TCP flags to determine the
scan type (syn, fin, xmas, etc.) and corresponding command line options that could be
supplied to nmap to generate such a scan. In addition, psad makes use of many TCP, UDP,
and ICMP signatures contained within the Snort intrusion detection system (see
http://www.snort.org/) to detect suspicious network traffic such as probes for common
backdoors, DDoS tools, OS fingerprinting attempts, and more. By default psad also
provides alerts for snort rules that are detected directly by iptables through the use of
a ruleset generated by fwsnort (http://www.cipherdyne.org/fwsnort/). This enables psad to
send alerts for application layer attacks. psad features a set of highly configurable
danger thresholds (with sensible defaults provided) that allow the administrator to define
what constitutes a port scan or other suspect traffic. Email alerts sent by psad contain
the scanning ip, number of packets sent to each port, any TCP, UDP, or ICMP signatures
that have been matched (e.g. "NMAP XMAS scan"), the scanned port range, the current danger
level (from 1 to 5), reverse dns info, and whois information. psad also makes use of
various packet header fields associated with TCP SYN packets to passively fingerprint
remote operating systems (in a manner similar to the p0f fingerprinter) from which scans
originate. This requires the use of the --log-tcp-options argument for iptables logging
rules; if this option is not used, psad will fall back to a fingerprinting method that
makes use of packet length, TTL and TOS values, IP ID, and TCP window sizes.
psad reads all iptables log data by default from the /var/log/messages file. By parsing
firewall log messages, psad is provided with data that represents packets that have been
logged (and possibly dropped) by the running iptables policy. In this sense, psad is
supplied with a pure data stream that exclusively contains packets that the firewall has
deemed unfit to enter the network. psad consists of three daemons: psad, kmsgsd, and
psadwatchd. psad is responsible for processing all packets that have been logged by the
firewall and applying the signature logic in order to determine what type of scan has been
leveraged against the machine and/or network. kmsgsd (deprecated) reads all messages that
have been written to the /var/lib/psad/psadfifo named pipe and writes any message that
matches a particular regular expression (or string) to /var/log/psad/fwdata. kmsgsd is
only used if the ENABLE_SYSLOG_FILE variable is disabled in psad.conf. psadwatchd is a
software watchdog that will restart any of the other two daemons should a daemon die for
any reason.
OPTIONS
-A, --Analyze-msgs
Analyze an iptables logfile for scans and exit. This will generate email alerts
just as a normal running psad process would have for all logged scans. By default
the psad data file /var/log/psad/fwdata is parsed for old scans, but any file can
be specified through the use of the --messages-file command line option. For
example it might be useful to point psad at your /var/log/messages file.
--analysis-fields <search fields>
In --Analyze mode restrict analysis to iptables log messages that have specific
values for particular fields. Examples include "SRC:1.2.3.4", "DST:10.0.0.0/24,
and "TTL:64", and multiple fields are supported as a comma-separated list like
"SRC:1.2.3.4, LEN:44, DST:10.0.0.0/24".
-i, --interface <interface>
Specify the interface that psad will examine for iptables log messages. This
interface will be the IN= interface for packets that are logged in the INPUT and
FORWARD chains, and the OUT= interface for packets logged in the OUTPUT chain.
--sig-update
Instruct psad to download the latest set of modified Snort signatures from
http://www.cipherdyne.org/psad/signatures so that psad can take advantage of
signature updates before a new release is made.
-O, --Override-config <file>
Override config variable values that are normally read from the /etc/psad/psad.conf
file with values from the specified file. Multiple override config files can be
given as a comma separated list.
-D, --Dump-conf
Dump the current psad config to STDOUT and exit. Various pieces of information
such as the home network, alert email addresses, and DShield user id are removed
from the resulting output so it is safe to send to others.
-F, --Flush
Remove any auto-generated firewall block rules if psad was configured to
automatically respond to scans (see the ENABLE_AUTO_IDS variable in psad.conf).
-S, --Status
Display the status of any psad processes that may or not be running. The status
output contains a listing of the number of packets that have been processed by
psad, along with all IP addresses and corresponding danger levels that have scanned
the network.
--status-ip <ip>
Display status information associated with ip such as the protocol packet counters
as well as the last 10 packets logged by iptables.
--status-dl <dl>
Display status information only for scans that have reached a danger level of at
least dl
--status-summary
Instruct psad to omit detailed IP information from --Status and --Analyze modes.
-m, --messages-file <file>
This option is used to specify the file that will be parsed in analysis mode (see
the --Analyze-msgs option). The default path is the psad data file
/var/log/psad/fwdata.
--CSV Instruct psad to parse iptables log messages out of /var/log/messages (by defult,
but this path can be changed with the -m option), and print the packet fields on
STDOUT in comma-separate value format. This is useful for graphing iptables log
data with AfterGlow (see http://afterglow.sourceforge.net/index.html).
--stdin
Acquire iptables log data from STDIN instead of the default /var/log/messages file.
--CSV-fields <tokens>
Instruct psad to only include a specific set of iptables log message fields within
the CSV output. AfterGlow accepts up to three fields for its graph data, so the
most common usage of this option is "src dst dp" to print the source and
destination IP addresses, and the destination port number.
-K, --Kill
Kill the current psad process along with psadwatchd and kmsgsd. This provides a
quick and easy way to kill all psad processes without having to look in the process
table or appeal to the psad-init script.
-R, --Restart
Restart the currently running psad processes. This option will preserve the
command line options that were supplied to the original psad process.
-U, --USR1
Send a running psad process a USR1 signal. This will cause psad to dump the
contents of the %Scan hash to the file "/var/log/psad/scan_hash.$$" where "$$"
represents the pid of the psad process. This is mostly useful for debugging
purposes, but it also allows the administrator to peer into the %Scan hash, which
is the primary data structure used to store scan data within system memory.
-H, --HUP
Send all running psad daemons a HUP signal. This will instruct the daemons to re-
read their respective configuration files without causing scan data to be lost in
the process.
-B, --Benchmark
Run psad in benchmark mode. By default benchmark mode will simulate a scan of
10,000 packets (see the --packets option) and then report the elapsed time. This
is useful to see how fast psad can process packets on a specific machine.
-p, --packets <packets>
Specify the number of packets to analyze in --Analyze mode or use in --Benchmark
mode. The default is 10,000 packets in --Benchmark mode, and unlimited in
--Analyze mode.
-d, --debug
Run psad in debugging mode. This will automatically prevent psad from running as a
daemon, and will print the contents of the %Scan hash and a few other things on
STDOUT at crucial points as psad executes.
-c, --config <configuration-file>
By default all of the psad makes use of the configuration file /etc/psad/psad.conf
for almost all configuration parameters. psad can be made to override this path by
specifying a different file on the command line with the --config option.
--signatures <signatures-file>
The iptables firewalling code included within the linux 2.4.x kernel series has the
ability to distinguish and log any of the TCP flags present within TCP packets that
traverse the firewall interfaces. psad makes use of this logging capability to
detect several types of TCP scan signatures included within /etc/psad/signatures.
The signatures were originally included within the snort intrusion detection
system. New signatures can be included and modifications to existing signatures
can be made to the signature file and psad will import the changes upon receiving a
HUP signal (see the --HUP command line option) without having to restart the psad
process. psad also detects many UDP and ICMP signatures that were originally
included within snort.
-e, --email-analysis
Send alert emails when run in --Analyze-msgs mode. Depending on the size of the
iptables logfile, using the --email-analysis option could extend the runtime of
psad by quite a bit since normally both DNS and whois lookups will be issued
against each scanning IP address. As usual these lookups can be disabled with the
--no-rdns and --no-whois options respectively.
-w, --whois-analysis
By default psad does not issue whois lookups when running in --Analyze-msgs mode.
The --whois-analysis option will override this behavior (when run in analysis mode)
and instruct psad to issue whois lookups against IP addresses from which scans or
other suspect traffic has originated.
--analysis-auto-block
Enable auto-blocking responses when running in --Analyze-msgs mode. This is mostly
useful only for the psad test suite when auto-blocking responses are tested and
verified.
--snort-type <type>
Restrict the type of snort sids to type. Allowed types match the file names given
to snort rules files such as "ddos", "backdoor", and "web-attacks".
--snort-rdir <snort-rules-directory>
Manually specify the directory where the snort rules files are located. The
default is /etc/psad/snort_rules.
--passive-os-sigs <passive-os-sigs-file>
Manually specify the path to the passive operating system fingerprinting signatures
file. The default is /etc/psad/posf.
--auto-dl <auto-dl-file>
Occasionally certain IP addresses are repeat offenders and should automatically be
given a higher danger level than would normally be assigned. Additionally, some IP
addresses can always be ignored depending on your network configuration (the
loopback interface 127.0.0.1 might be a good candidate for example).
/etc/psad/auto_dl provides an interface for psad to automatically
increase/decrease/ignore scanning IP danger levels. Modifications can be made to
auto_dl (installed by default in /etc/psad) and psad will import them with 'psad
-H' or by restarting the psad process.
--fw-search <fw_search-file>
By default all of the psad makes use of the firewall search configuration file
/etc/psad/fw_search.conf for firewall search mode and search strings. psad can be
made to override this path by specifying a different file on the command line with
the --fw-search option.
--fw-list-auto
List all rules in iptables chains that are used by psad in auto-blocking mode.
--fw-analyze
Analyze the local iptables ruleset, send any alerts if errors are discovered, and
then exit.
--fw-del-chains
By default, if ENABLE_AUTO_IDS is set to "Y" psad will not delete the auto-
generated iptables chains (see the IPT_AUTO_CHAIN keywords in psad.conf) if the
--Flush option is given. The --fw-del-chains option overrides this behavior and
deletes the auto-blocking chains from a running iptables firewall.
--fw-dump
Instruct psad to dump the contents of the iptables policy that is running on the
local system. All IP addresses are removed from the resulting output, so it is
safe to post to the psad list, or communicate to others. This option is most often
used with --Dump-conf.
--fw-block-ip <ip>
Specify an IP address or network to add to the iptables controls that are auto-
generated by psad. This allows psad to manage the rule timeouts.
--fw-rm-block-ip <ip>
Specify an IP address or network to remove from the iptables controls that are
auto-generated by psad.
--fw-file <policy-file>
Analyze the iptables ruleset contained within policy-file instead of the ruleset
currently loaded on the local system.
--CSV-regex <regex>
Instruct psad to only print CSV data that matches the supplied regex. This regex
is used to match against each of the entire iptables log messages.
--CSV-neg-regex <regex>
Instruct psad to only print CSV data that does not match the supplied regex. This
regex is used to negatively match against each of the entire iptables log messages.
--CSV-uniq-lines
Instruct psad to only print unique CSV data. That is, each line printed in --CSV
mode will be unique.
--CSV-max-lines <num>
Limit the number of CSV-formatted lines that psad generates on STDOUT. This is
useful to allow AfterGlow graphs to be created that are not too cluttered.
--CSV-start-line <num>
Specify the beginning line number to start parsing out of the iptables log file in
--CSV output mode. This is useful for when the log file is extremely large, and
you want to begin parsing a specific place within the file. The default is begin
parsing at the beginning of the file.
--CSV-end-line <num>
Specify the ending line number to stop parsing the iptables log file in --CSV
output mode. This is useful for when the log file is extremely large, and you do
not want psad to process the entire thing.
--gnuplot
Enter into Gnuplot mode whereby psad parses an iptables logfile and creates .gnu
and .dat files that are suitable for graphing with Gnuplot. The various --CSV
command line arguments apply to plotting iptables log with Gnuplot.
--gnuplot-template <file>
Use a template file for all Gnuplot graphing directives (this is usually a .gnu
file by convention). Normally psad builds all of the graphing directives based on
various --gnuplot command line arguments, but the --gnuplot-template switch allows
you to override this behavior.
--gnuplot-file-prefix <file>
Specify a prefix for the .gnu, .dat, and .png files that are generated in --gnuplot
mode. So, when visualizing attacks captured in an iptables logfile (let's say you
are interested in port scans), you could use this option to have psad create the
two files portscan.dat, portscan.gnu, and Gnuplot will create an additional file
portscan.png when the portscan.gnu file is loaded.
--gnuplot-x-label <label>
Set the label associated with the x-axis.
--gnuplot-x-range <range>
Set the x-axis range.
--gnuplot-y-label <label>
Set the label associated with the y-axis.
--gnuplot-y-range <range>
Set the y-axis range.
--gnuplot-z-label <label>
Set the label associated with the z-axis (only if --gnuplot-3D is used).
--gnuplot-z-range <range>
Set the z-axis range. (only if --gnuplot-3D is used).
--gnuplot-3D
Generate a Gnuplot splot graph. This produces a three-dimensional graph.
--gnuplot-view
Set the viewing angle when graphing data in --gnuplot-3D mode.
--gnuplot-title <title>
Set the graph title for the Gnuplot graph.
-I, --Interval <seconds>
Specify the interval (in seconds) that psad should use to check whether or not
packets have been logged by the firewall. psad will use the default of 15 seconds
unless a different value is specified.
-l, --log-server
This option should be used if psad is being executed on a syslog logging server.
Running psad on a logging server requires that check_firewall_rules() and
auto_psad_response() not be executed since the firewall is probably not being run
locally.
-V, --Version
Print the psad version and exit.
--no-daemon
Do not run psad as a daemon. This option will display scan alerts on STDOUT
instead of emailing them out.
--no-ipt-errors
Occasionally iptables messages written by syslog to /var/log/messages seem to not
conform to the normal firewall logging format if the kernel ring buffer used by
klogd becomes full. psad will write these message to /var/log/psad/errs/fwerrorlog
by default. Passing the --no-ipt-errors option will make psad ignore all such
erroneous firewall messages.
--no-whois
By default psad will issue a whois query against any IP from which a scan has
originated, but this can be disabled with the --no-whois command line argument.
--no-fwcheck
psad performs a rudimentary check of the firewall ruleset that exists on the
machine on which psad is deployed to determine whether or not the firewall has a
compatible configuration (i.e. iptables has been configured to log packets).
Passing the --no-fwcheck or --log-server options will disable this check.
--no-auto-dl
Disable auto danger level assignments. This will instruct to not import any IP
addresses or networks from the file /etc/psad/auto_dl.
--no-snort-sids
Disable snort sid processing mode. This will instruct psad to not import snort
rules (for snort SID matching in a policy generated by fwsnort ).
--no-signatures
Disable psad signature processing. Note that this is independent of snort SID
matching in iptables messages generated by fwsnort and also from the ICMP type/code
validation routines.
--no-icmp-types
Disable ICMP type and code field validation.
--no-passive-os
By default psad will attempt to passively (i.e. without sending any packets)
fingerprint the remote operating system from which a scan originates. Passing the
--no-passive-os option will disable this feature.
--no-rdns
psad normally attempts to find the name associated with a scanning IP address, but
this feature can be disabled with the --no-rdns command line argument.
--no-kmsgsd
Disable startup of kmsgsd. This option is most useful for debugging with
individual iptables messages so that new messages are not appended to the
/var/log/psad/fwdata file.
--no-netstat
By default for iptables firewalls psad will determine whether or not your machine
is listening on a port for which a TCP signature has been matched. Specifying
--no-netstat disables this feature.
-h, --help
Print a page of usage information for psad and exit.
FILES
/etc/psad/psad.conf
The main psad configuration file which contains configuration variables mentioned
in the section below.
/etc/psad/fw_search.conf
Used to configure the strategy both psad and kmsgsd employ to parse iptables
messages. Using configuration directive within this file, psad can be configured
to parse all iptables messages or only those that match specific log prefix strings
(see the --log-prefix option to iptables).
/etc/psad/signatures
Contains the signatures psad uses to recognize nasty traffic. The signatures are
written in a manner similar to the *lib signature files used in the snort IDS.
/etc/psad/icmp_types
Contains all valid ICMP types and corresponding codes as defined by RFC 792. By
default, ICMP packets are validated against these values and an alert will be
generated if a non-matching ICMP packet is logged by iptables.
/etc/psad/snort_rules/*.rules
Snort rules files that are consulted by default unless the --no-snort-sids commmand
line argument is given.
/etc/psad/auto_dl
Contains a listing of any IP addresses that should be assigned a danger level based
on any traffic that is logged by the firewall. The syntax is "<IP address> <danger
level>" where <danger level> is an integer from 0 to 5, with 0 meaning to ignore
all traffic from <IP address>, and 5 is to assign the highest danger level to <IP
address>.
/etc/psad/posf
Contains a listing of all passive operating system fingerprinting signatures.
These signatures include packet lengths, ttl, tos, IP ID, and TCP window size
values that are specific to various operating systems.
PSAD CONFIGURATION VARIABLES
This section describes what each of the more important psad configuration variables do and
how they can be tuned to meet your needs. Most of the variables are located in the psad
configuration file /etc/psad/psad.conf but the FW_SEARCH_ALL and FW_MSG_SEARCH variables
are located in the file /etc/psad/fw_search.conf. Each variable is assigned sensible
defaults for most network architectures during the install process. More information on
psad config keywords may be found at: http://www.cipherdyne.org/psad/config.html
EMAIL_ADDRESSES
Contains a comma-separated list of email addresses to which email alerts will be
sent. The default is "root@localhost".
HOSTNAME
Defines the hostname of the machine on which psad is running. This will be used in
the email alerts generated by psad.
HOME_NET
Define the internal network(s) that are connected to the local system. This will
be used in the signature matching code to determine whether traffic matches snort
rules, which invariably contain a source and destination network. Multiple
networks are supported as a comma separated list, and each network should be
specified in CIDR notation. Normally the network(s) contained in the HOME_NET
variable should be directly connected to the machine that is running psad.
IMPORT_OLD_SCANS
Preserve scan data across restarts of psad or even across reboots of the machine.
This is accomplished by importing the data contained in the filesystem cache psad
writes to during normal operation back into memory as psad is started. The
filesystem cache data in contained within the directory /var/log/psad.
FW_SEARCH_ALL
Defines the search mode psad uses to parse iptables messages. By default
FW_SEARCH_ALL is set to "Y" since normally most people want all iptables log
messages to be parsed for scan activity. However, if FW_SEARCH_ALL is set to "N",
psad will only parse those iptables log messages that match certain search strings
that appear in iptables logs with the --log-prefix option. This is useful for
restricting psad to only operate on specific iptables chains or rules. The strings
that will be searched for are defined with the FW_MSG_SEARCH variable (see below).
The FW_SEARCH_ALL variable is defined in the file /etc/psad/fw_search.conf since it
is referenced by both psad and kmsgsd.
FW_MSG_SEARCH
Defines a set of search strings that psad uses to identify iptables messages that
should be parsed for scan activity. These search strings should match the log
prefix strings specified in the iptables ruleset with the --log-prefix option, and
the default value for FW_MSG_SEARCH is "DROP". Note that psad normally parses all
iptables messages, and so the FW_MSG_SEARCH variable is only needed if
FW_SEARCH_ALL (see above) is set to "N". The FW_MSG_SEARCH variable is referenced
by both psad and kmsgsd so it lives in the file /etc/psad/fw_search.conf.
SYSLOG_DAEMON
Define the specific syslog daemon that psad should interface with. Psad supports
three syslog daemons: syslogd, syslog-ng, and metalog. The default value of
SYSLOG_DAEMON is syslogd.
IGNORE_PORTS
Specify a list of port ranges and/or individual ports and corresponding protocols
that psad should complete ignore. This is particularly useful for ignore ports
that are used as a part of a port knocking scheme (such as fwknop
http://www.cipherdyne.org/fwknop/) for network authentication since such log
messages generated by the knock sequence may otherwise be interpreted as a scan.
Multiple ports and/or port ranges may be specified as a comma-separated list, e.g.
"tcp/22, tcp/61000-61356, udp/53".
ENABLE_PERSISTENCE
If "Y", psad will keep all scans in memory and not let them timeout. This can help
discover stealthy scans where an attacker tries to slip beneath IDS thresholds by
only scanning a few ports over a long period of time. ENABLE_PERSISTENCE is set to
"Y" by default.
SCAN_TIMEOUT
If ENABLE_PERSISTENCE is "N" then psad will use the value set by SCAN_TIMEOUT to
remove packets from the scan threshold calculation. The default is 3600 seconds (1
hour).
DANGER_LEVEL{1,2,3,4,5}
psad uses a scoring system to keep track of the severity a scans reaches
(represented as a "danger level") over time. The DANGER_LEVEL{n} variables define
the number of packets that must be dropped by the firewall before psad will assign
the respective danger level to the scan. A scan may also be assigned a danger
level if the scan matches a particular signature contained in the signatures file.
There are five possible danger levels with one being the lowest and five the
highest. Note there are several factors that can influence how danger levels are
calculated: whether or not a scan matches a signature listed in
/etc/psad/signatures, the value of PORT_RANGE_SCAN_THRESHOLD (see below), whether
or not a scan comes from an IP that is listed in the /etc/psad/auto_dl file, and
finally whether or not scans are allowed to timeout as determined by SCAN_TIMEOUT
above. If a signature is matched or the scanning IP is listed in
/etc/psad/auto_dl, then the corresponding danger level is automatically assigned to
the scan.
PORT_RANGE_SCAN_THRESHOLD
Defines the minimum difference between the lowest port and the highest port scanned
before an alert is sent (the default is 1 which means that at least two ports must
be scanned to generate an alert). For example, suppose an ip repeatedly scans a
single port for which there is no special signature in signatures. Then if
PORT_RANGE_SCAN_THRESHOLD=1, psad will never send an alert for this "scan" no
matter how many packets are sent to the port (i.e. no matter what the value of
DANGER_LEVEL1 is). The reason for the default of 1 is that a "scan" usually means
that at least two ports are probed, but if you want psad to be extra paranoid you
can set PORT_RANGE_SCAN_THRESHOLD=0 to alert on scans to single ports (as long as
the number of packets also exceeds DANGER_LEVEL1).
SHOW_ALL_SIGNATURES
If "Y", psad will display all signatures detected from a single scanning IP since a
scan was first detected instead of just displaying newly-detected signatures.
SHOW_ALL_SIGNATURES is set to "N" by default. All signatures are listed in the
file /etc/psad/signatures.
SNORT_SID_STR
Defines the string kmsgsd will search for in iptables log messages that are
generated by iptables rules designed to detect snort rules. The default is "SID".
See fwsnort (http://www.cipherdyne.org/fwsnort/).
ENABLE_DSHIELD_ALERTS
Enable dshield alerting mode. This will send a parsed version of iptables log
messages to dshield.org which is a (free) distributed intrusion detection service.
For more information, see http://www.dshield.org/
IGNORE_CONNTRACK_BUG_PKTS
If "Y", all TCP packets that have the ACK or RST flag bits set will be ignored by
psad since usually we see such packets being blocked as a result of the iptables
connection tracking bug. Note there are no signatures that make use of the RST
flag and very few that use ACK flag.
ALERT_ALL
If "Y", send email for all new bad packets instead of just when a danger level
increases. ALERT_ALL is set to "Y" by default.
PSAD_EMAIL_LIMIT
Defines the maximum number of emails that will be sent for a single scanning IP
(default is 50). This variable gives you some protection from psad sending
countless alerts if an IP scans your machine constantly. psad will send a special
alert if an IP has exceeded the email limit. If PSAD_EMAIL_LIMIT is set to zero,
then psad will ignore the limit and send alert emails indefinitely for any scanning
ip.
EMAIL_ALERT_DANGER_LEVEL
Defines the danger level a scan must reach before any alert is sent. This variable
is set to 1 by default.
ENABLE_AUTO_IDS
psad has the capability of dynamically blocking all traffic from an IP that has
reached a (configurable) danger level through modification of iptables or
tcpwrapper rulesets. IMPORTANT: This feature is disabled by default since it is
possible for an attacker to spoof packets from a well known (web)site in an effort
to make it look as though the site is scanning your machine, and then psad will
consequently block all access to it. Also, psad works by parsing firewall messages
for packets the firewall has already dropped, so the "scans" are unsuccessful
anyway. However, some administrators prefer to take this risk anyway reasoning
that they can always review which sites are being blocked and manually remove the
block if necessary (see the --Flush option). Your mileage will vary.
AUTO_IDS_DANGER_LEVEL
Defines the danger level a scan must reach before psad will automatically block the
IP (ENABLE_AUTO_IDS must be set to "Y").
EXAMPLES
The following examples illustrate the command line arguments that could be supplied to
psad in a few situations:
Signature checking, passive OS fingerprinting, and automatic IP danger level assignments
are enabled by default without having to specify any command line arguments (best for most
situations):
# psad
Same as above, but this time we use the init script to start psad:
# /etc/init.d/psad start
Use psad as a forensics tool to analyze an old iptables logfile (psad defaults to
analyzing the /var/log/messages file if the -m option is not specified):
# psad -A -m <iptables logfile>
Run psad in forensics mode, but limit its operations to a specific IP address "10.1.1.1":
# psad -A -m <iptables logfile> --analysis-fields src:10.1.1.1
Generate graphs of scan data using AfterGlow:
# psad --CSV --CSV-fields src dst dp --CSV-max 1000 -m <iptables logfile> | perl
afterglow.pl -c color.properties | neato -Tgif -o iptables_graph.gif
The psad.conf, signatures, and auto_dl files are normally located within the /etc/psad/
directory, but the paths to each of these files can be changed:
# psad -c <config file> -s <signatures file> -a <auto ips file>
Disable the firewall check and the local port lookup subroutines; most useful if psad is
deployed on a syslog logging server:
# psad --log-server --no-netstat
Disable reverse dns and whois lookups of scanning IP addresses; most useful if speed of
psad is the main concern:
# psad --no-rdns --no-whois
DEPENDENCIES
psad requires that iptables is configured with a "drop and log" policy for any traffic
that is not explicitly allowed through. This is consistent with a secure network
configuration since all traffic that has not been explicitly allowed should be blocked by
the firewall ruleset. By default, psad attempts to determine whether or not the firewall
has been configured in this way. This feature can be disabled with the --no-fwcheck or
--log-server options. The --log-server option is useful if psad is running on a syslog
logging server that is separate from the firewall. For more information on compatible
iptables rulesets, see the FW_EXAMPLE_RULES file that is bundled with the psad source
distribution.
psad by default parses the /var/log/messages file for all iptables log data.
DIAGNOSTICS
The --debug option can be used to display crucial information about the psad data
structures on STDOUT as a scan generates firewall log messages. --debug disables daemon
mode execution.
Another more effective way to peer into the runtime execution of psad is to send (as root)
a USR1 signal to the psad process which will cause psad to dump the contents of the %Scan
hash to /var/log/psad/scan_hash.$$ where $$ represents the pid of the psad process.
SEE ALSO
iptables(8), kmsgsd(8), psadwatchd(8), fwsnort(8), snort(8), nmap(1), p0f(1), gnuplot(1)
AUTHOR
Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS
Many people who are active in the open source community have contributed to psad. See the
CREDITS file in the psad sources, or visit
http://www.cipherdyne.org/psad/docs/contributors.html to view the online list of
contributors.
BUGS
Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are always welcome as
well.
For iptables firewalls as of Linux kernel version 2.4.26, if the ip_conntrack module is
loaded (or compiled into the kernel) and the firewall has been configured to keep state of
connections, occasionally packets that are supposed to be part of normal TCP traffic will
not be correctly identified due to a bug in the firewall state timeouts and hence dropped.
Such packets will then be interpreted as a scan by psad even though they are not part of
any malicious activity. Fortunately, an interim fix for this problem is to simply extend
the TCP_CONNTRACK_CLOSE_WAIT timeout value in
linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 60 seconds to 2 minutes, and a set
of kernel patches is included within the patches/ directory in the psad sources to change
this. (Requires a kernel recompile of course; see the Kernel-HOWTO.) Also, by default
the IGNORE_CONNTRACK_BUG_PKTS variable is set to "Y" in psad.conf which causes psad to
ignore all TCP packets that have the ACK bit set unless the packets match a specific
signature.
DISTRIBUTION
psad is distributed under the GNU General Public License (GPL), and the latest version may
be downloaded from: http://www.cipherdyne.org/ Snort is a registered trademark of
Sourcefire, Inc.