cipherdyne.org

Michael Rash, Security Researcher



psad: Intrusion Detection and Log Analysis with iptables

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

Network diagram to illustrate the deployment of psad along with an iptables firewall psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap. When combined with fwsnort and the Netfilter string match extension, psad is capable of detecting many attacks described in the Snort rule set that involve application layer data. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. Further, psad can be integrated with Logstash, and also offers support for UFW firewalls [1]. For more information, see the complete list of features offered by psad.

Significant coverage of psad, including a full discussion of its iptables log analysis capabilities and the ability to interface with graphing software such as AfterGlow and Gnuplot, can be found in the book Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort. Several iptables log visualizations from Chapter 14 of the book are available online, and two such examples appear below. The first example is a link graph produced by AfterGlow of iptables log messages that are indicative of the Nachi Worm: AfterGlow graph of the Nachi Worm derived from psad parsing of iptables LOG messages For the second example, psad interfaces with Gnuplot to produce a graph of the number of TCP SYN packets to destination ports per hour. Clearly discernible is a spike on March 27th, and further analysis of the iptables log data indicates a heavy port scan is the cause: psad Gnuplot of TCP SYN packets per hour The data source for the two visualizations above is the iptables log data from the Scan30 Honeynet Challenge. The complete psad Honeynet challenge analysis pages can be found here: psad Honeynet challenge graphs

psad is developed around three main principles:
  • Good network security starts with a properly configured firewall.
  • A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter's case when also running fwsnort).
  • Suspicious traffic should not be detected at the expense of trying to also block such traffic.

History

psad began as part of the Bastille Linux project in the fall of 1999 after it was decided Bastille needed to have a lightweight network intrusion detection component, and the result was the "Bastille-NIDS". In March, 2001 Bastille-NIDS was made into its own project and called the "Port Scan Attack Detector" (psad). The development cycle for psad it quite active and a major release is made on average once every few months.

[1] Logstash and UFW integration are possible thanks to Rinck Sonnenberg.