psad Configuration Variables
Syntax
Configuration Variables in the psad configuration files (/etc/psad/psad.conf, /etc/psad/fw_search.conf,
/etc/psad/kmsgsd.conf, and /etc/psad/psadwatchd.conf) follow a simple key/value scheme.
For example, the WHOIS_TIMEOUT timeout keyword is defined as follows in /etc/psad/psad.conf:
WHOIS_TIMEOUT 60;
Note that the value associated with each key is terminated by a semicolon. All lines that
begin with a "#" are treated as comments. A comment may also be included on a line that
contains a keyword as long as it appears after the ending semicolon and is preceeded by a
"#". E.g.:
WHOIS_TIMEOUT 60; ### Seconds
Configuration Variables
The following keywords and associated defaults are defined by psad. All keywords are defined
in
/etc/psad/psad.conf unless otherwise noted. An example is given for each keyword
in the text below.
EMAIL_ADDRESSES
EMAIL_ADDRESSES defines the email address to which psad should send
scan alerts and status emails. Multiple email addresses are supported
as a comma separated list. The default value is "root@localhost", but
the psad installer prompts the user to change this at install
time.
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOME_NET
HOME_NET specifies the home network. This variable is used to identify traffic
that matches snort rules in the iptables FORWARD chain. Traffic that is directed
to, or originates from, the firewall itself (i.e. in the INPUT or OUTPUT
chains respectively) is treated as traffic to or from the HOME_NET by default
and hence even if the HOME_NET variable is not defined, psad will still be
able to detect matching scans. A syslog and email warning message will be
generated if this variable is not defined. Normally the network(s) specified
here should match directly networks on the local machine. Multiple networks are
supported as a comma separated list. The network(s) should be specified in CIDR
notation. NOTE: The HOME_NET variable is not used if there is only one network
interface on the system (i.e. no traffic will be logged via iptables through the
FORWARD chain). If there is only one network interface on the box, then just set
this variable to "NOT_USED".
HOME_NET 192.168.10.4/24;
SYSLOG_DAEMON
SYSLOG_DAEMON sets the type of syslog daemon that is used. Psad supports
three different syslog daemons: syslogd, syslog-ng, and metalog. One of these
maybe specified as an argument to the SYSLOG_DAEMON keyword. The default is
"syslogd".
SYSLOG_DAEMON syslogd;
DANGER_LEVEL{n}
DANGER_LEVEL{1,2,3,4,5} sets the number of packets that must be seen in order to
reach each danger level. Psad supports five danger levels, with 1 being the least
severe and 5 being most severe. Scans are assigned a danger level based upon the
thresholds defined by the DANGER_LEVEL{1,2,3,4,5} variables. Scans may also be
assigned a danger level if a specific signature is matched (see: /etc/psad/signatures)
or if the IP address from which the scan originates is automatically assigned a
danger level (see: /etc/psad/auto_dl). The default values for the DANGER_LEVEL
variables appear in the Example below:
DANGER_LEVEL1 5;
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
PSAD_CHECK_INTERVAL
PSAD_CHECK_INTERVAL sets the number of seconds psad sleeps before checking for
new iptables log messages. The default is 5 seconds.
PSAD_CHECK_INTERVAL 5;
SNORT_SID_STR
SNORT_SID_STR instructs psad to for snort "sid" values generated by
fwsnort or snort2iptables in iptables logging prefixes.
The default is "SID" since fwsnort generates iptables logs that contain strings
such as "SID940".
SNORT_SID_STR SID;
PORT_RANGE_SCAN_THRESHOLD
PORT_RANGE_SCAN_THRESHOLD defines the minimum range of ports that must be scanned
before an email alert will be generated. For example, setting PORT_RANGE_SCAN_THRESHOLD
to 1 would require that at least two different ports must be scanned before an alert
is sent (i.e. an alert will not be generated if multiple scan packets are sent against
the same port). Setting PORT_RANGE_SCAN_THRESHOLD to 0 is the most verbose setting and will
cause psad to send alerts for any scan that involves at least the number of packets
specified by DANGER_LEVEL1, even if such a scan only involves a single port. The
default value for PORT_RANGE_SCAN_THRESHOLD is 1.
PORT_RANGE_SCAN_THRESHOLD 1;
ENABLE_PERSISTENCE
ENABLE_PERSISTENCE controls whether or not psad will allow scans to timeout. The
default value is "Y", which means that scans will never timeout. This is useful
for catching scans that take place over long periods of time where the attacker
is trying to slip beneath the IDS detection thresholds.
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT
Defines the number of seconds psad will use to timeout scans (or other
suspect traffic) associated with individual IP addresses. The default value is
3600 seconds (one hour). Note the SCAN_TIMEOUT is only used if ENABLE_PERSISTENCE is
set to "N".
SCAN_TIMEOUT 3600;
SHOW_ALL_SIGNATURES
If set to "Y" instructs psad to either include all scan signatures
associated with an IP address in every new email alert for the IP. Note that this may
result in long email alerts if an IP is persistantly hitting your site with suspicious
traffic over a long period of time. SHOW_ALL_SIGNATURES is set to "N" by default and
hence psad will only display alert information associate with new signatures.
SHOW_ALL_SIGNATURES N;
IGNORE_CONNTRACK_BUG_PKTS
Instructs psad to ignore TCP packets that have the ACK bit
set. The reason for this stems from the fact that the TCP connection tracking code
in the Linux kernel sets an inappropriately short timeout for acknowledgement packets
associated with TCP sessions that have entered the CLOSE WAIT state. Note that
TCP packets that trip application level inspection signatures as detected by
fwsnort will still be alerted upon by psad since fwsnort
generates iptables logging prefixes such as "SID940" which are parsed first by psad.
The default value for IGNORE_CONNTRACK_BUG_PKTS is "Y".
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS
Defines a set TCP and/or UDP ports that psad should ignore even if
suspicious traffic is logged over these ports. Both port ranges and individual
TCP and UDP ports can be specified. This keyword adds a degree of configurability
to psad in an effort to compensate for an iptables policy that may not be ideally
configured (i.e. generating logs for traffic it shouldn't), or for applications
such as port knocking schemes (see:
fwknop) that generate
traffic that is essentially indestinguishable from port scans. The default value
for IGNORE_PORTS is "NONE".
IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
EMAIL_ALERT_DANGER_LEVEL
Defines the minimum danger level a scan must reach before
an email alert will be generated by psad. The default value for EMAIL_ALERT_DANGER_LEVEL
is "1".
EMAIL_ALERT_DANGER_LEVEL 1;
PSAD_EMAIL_LIMIT
Defines the maximum number of emails that will be sent for an
individual IP address. The default is "0" which instructs psad to not set any limit
for the number of email alerts that it will send for a particular IP address. Normally
if an IP is causing psad to generate hundreds of alert emails there is a misconfiguration
in either the iptables policy or in the manner in which the network is being utilized by
the IP. Note that enabling this feature by setting PSAD_EMAIL_LIMIT to some value greater
than "0" may cause alerts for real attacks to not be generated if an attack is sent after
the email threshold has been reached for an IP address.
PSAD_EMAIL_LIMIT 100;
EMAIL_LIMIT_STATUS_MSG
If set to "Y" will instruct psad to send a status email message
whenever an IP address has reached the PSAD_EMAIL_LIMIT threshold. The default is "Y".
EMAIL_LIMIT_STATUS_MSG Y;
ALERT_ALL
If set to "Y" instructs psad to send email alerts for any new suspect traffic
from a particular IP address instead of just when the IP reaches a new danger level.
The default for ALERT_ALL is "Y"
ALERT_ALL Y;
IMPORT_OLD_SCANS
If set to "Y" instructs psad to import any old scan data in /var/log/psad
from a previously running psad process. This allows scan data to persist across restarts
of psad or even a system reboot. The default value for IMPORT_OLD_SCANS is "N".
IMPORT_OLD_SCANS Y;
ENABLE_DSHIELD_ALERTS
If set to "Y" will allow psad to send scan data to the DShield
distributed IDS. Security data is usually considered sensitive by system administrators
so ENABLE_DSHIELD_ALERTS is set to "N" by default, but DShield genuienly provides a
useful service to people who are concerned about network security and so enabling this
feature is helpful to the community. See
dshield.org
for more information.
ENABLE_DSHIELD_ALERTS Y;
DSHIELD_ALERT_EMAIL
Defines the email address to which DShield alerts will be sent if
DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword). The default value
is "reports@dshield.org" and should only be changed if the DShield reporting address
changes.
DSHIELD_ALERT_EMAIL reports@dshield.org;
DSHIELD_ALERT_INTERVAL
Defines the number of hours between successive DShield email
alerts that are generated by psad. The default value is 6 hours, but should not be
set to anything less than 1 hour or greater than 24 hours. This
keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS
keyword).
DSHIELD_ALERT_INTERVAL 6;
DSHIELD_USER_ID
Is used to define a DShield user id (requires free registration at
dshield.org). The default is "0" which allows
psad to send scan information to the DShield distributed IDS anonymously (that is
in the sense that the scan data will not be associated with any particular DShield
user id). This keyword is only referenced if DShield alerting is enabled (see the
ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_ID 6;
DSHIELD_USER_EMAIL
Defines the source email address that will be used to
send scan data to the DShield distributed IDS. The default is "NONE" which allows
psad to send scan information to DShield from the same source email address that is
used by psad to send normal scan alerts. This keyword is only referenced if DShield
alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_EMAIL you@somedomain.com;
DSHIELD_DL_THRESHOLD
Defines a threshold danger level before scan data will be included
in email alerts to DShield. The default is "0" since this will allow DShield to apply
its own logic to determine what constitutes a scan (i.e. _all_ iptables log messages
will be included in DShield email alerts with DSHIELD_DL_THRESHOLD set to "0"). This
keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS
keyword).
DSHIELD_DL_THRESHOLD 2;
ENABLE_AUTO_IDS
If set to "Y" instructs psad to automatically block IP addresses from
which scans or other suspect traffic originate. The default is "N" since enabling this
feature may cause network connectivity problems if the underlying iptables policy is
not tuned correctly (for example if it is logging legitmate DNS response traffic), or
if an attacker discovers that the auto-blocking feature is enabled and then proceeds to
spoof scans from your favorite websites or your upstream router. Psad supports "whitelisting"
IP addresses via the file /etc/psad/auto_dl so that psad will never add block rules for
IP addresses listed in this file that have an auto-danger level set to "0". Incidently
the /etc/psad/auto_dl file can also be used to automatically elevate the danger level
associated with a scan that originates from a specific IP address and/or IP contained
within a matching network.
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL
Sets a threshold on the minimum danger level a scan must reach
before psad will automatically block the offending IP address (ENABLE_AUTO_IDS must
be set to "Y" for this keyword to be used). The default is "5" which is the highest
danger level assigned by psad to any scan.
AUTO_IDS_DANGER_LEVEL 5;
AUTO_BLOCK_TIMEOUT
Defines the length of time that an auto-generated block rule will
remain in effect (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The
default is "3600" seconds (one hour).
AUTO_BLOCK_TIMEOUT 3600;
IPTABLES_BLOCK_METHOD
Instructs psad to block IP addresses with iptables (if
ENABLE_AUTO_IDS is set to "Y"). Blocking via iptables is more effective and more
secure than blocking via tcpwrappers since packets are intercepted in the kernel
before having an opportunity to talk to any user-land daemon, and hence this is
the preferred method of constructing auto-blocking rules. The default value for
IPTABLES_BLOCK_METHOD is "Y".
IPTABLES_BLOCK_METHOD Y;
IPTABLES_AUTO_RULENUM
Defines the specific rule number that psad will use to add
auto-generated iptables blocking rules in the INPUT, OUTPUT, and FORWARD chains
(ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default
value is "1".
IPTABLES_AUTO_RULENUM 1;
TCPWRAPPERS_BLOCK_METHOD
Instructs psad to block IP addresses with tcpwrappers (if
ENABLE_AUTO_IDS is set to "Y"). Blocking via tcpwrappers is less effective than
using iptables directly (see the IPTABLES_BLOCK_METHOD keyword above), so the
default value for TCPWRAPPERS_BLOCK_METHOD is "N".
TCPWRAPPERS_BLOCK_METHOD N;
WHOIS_TIMEOUT
Defines the timeout that psad will use when issuing whois lookups
against scanning IP addresses. The default is 60 seconds. Note that whois lookups
can be disabled altogether via the --no-whois command line argument.
WHOIS_TIMEOUT 60;
WHOIS_LOOKUP_THRESHOLD
Defines the number of times a scanning IP address can be seen
before an additional whois lookup will be issued. The motivation for this keyword
comes from the fact that IP to whois information mappings will not change very often.
The default value for WHOIS_LOOKUP_THRESHOLD is 20. Note that whois lookups
can be disabled altogether via the --no-whois command line argument.
WHOIS_LOOKUP_THRESHOLD 20;
DNS_LOOKUP_THRESHOLD
Defines the number of times a scanning IP address can be seen
before an additional reverse DNS lookup will be issued. The motivation for this
keyword comes from the fact that IP to host DNS mappings will not change very often.
The default value for DNS_LOOKUP_THRESHOLD is 20. Note that reverse DNS lookups
can be disabled altogether via the --no-rdns command line argument.
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC
Intructs psad to execute an external script when a scan is
detected. This feature is disabled by default; use at your own risk!
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT
Provides a path to an external script or program that psad should
execute upon detecting a scan from an IP address. Note that the scan source IP can
be specified on the command line to the external program through the use of the
"SRCIP" string (along with some appropriate switch for the program). Of course
this is only useful if the external program knows what to do with this information.
This keyword is only used if ENABLE_EXT_SCRIPT_EXEC is set to "Y", and the default
value is "/bin/true".
EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
EXEC_EXT_SCRIPT_PER_ALERT
If set to "Y" psad to external an external script or
program every time an email alert is generated for a particular IP address (see the
EXTERNAL_SCRIPT keyword above). This keyword is only used if ENABLE_EXT_SCRIPT_EXEC
is set to "Y", and the default value is "N" (which would have psad run the external
script only once for each scanning IP address).
EXEC_EXT_SCRIPT_PER_ALERT N;