cipherdyne.org

Michael Rash, Security Researcher



psad Syslog Configuration

The first thing to check if psad is not receiving any iptables log messages is to make sure that your iptables/ip6tables policy is configured to log packets that aren't associated with legitimate traffic. For example, if you are running a webserver, you probably don't want iptables to log web connections. There are some technicalities when it comes to state tracking and logging packets that aren't part of established connections, but this is a tangent. Basically you want a "default log and drop" policy for your iptables/ip6tables policy, and this will result in psad being able to see log messages for malicious traffic.

Once you have psad installed, you can do the following (as root) to test whether psad is able to see iptables log messages:
# iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
# telnet localhost 3003
Assuming that psad is running, this should generate in /var/log/messages something similar to:
Jun 15 23:37:33 netfilter kernel: Inbound IN=lo OUT=
MAC=00:13:d3:38:b6:e4:00:01:5c:22:9b:c2:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60
TOS=0x10 PREC=0x00 TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767
RES=0x00 SYN URGP=0
Also, executing "psad --Status" should display (among other things) something like:
Iptables prefix counters:
"Inbound": 1