psad.conf

Revision 2136, 21.2 kB (checked in by mbr, 10 months ago)

- Added a new feature whereby psad can acquire iptables log data just by
parsing an existing file (/var/log/messages by default) that is written
to by syslog. By default, psad acquires iptables log data from the
/var/log/psad/fwdata file which is written to by kmsgsd, but on some
systems, having syslog communicate log data to kmsgsd can be problematic
since syslog configs and external factors such as Apparmor and SELinux
can play a role here. This new feature is controled by two new
configuration variables "ENABLE_SYSLOG_FILE" (to enable/disable the
feature) and "IPT_SYSLOG_FILE" to specifiy the path to the file to
parse.
- Better installation support for various Linux distributions including
Fedora 8 and Ubuntu. The current runlevel is now acquired via the
"runlevel" command instead of attempting to read /etc/inittab (which
does not even exist on Ubuntu 7.10), and there are new command line
arguments --init-dir, --init-name, and --runlevel to allow the init
directory, init script name, and the runlevel to be manually specified
on the install.pl command line.
- Updated psad to automatically handle situations where the either the
/var/log/psad/fwdata file or the /var/log/messages file (whichever
syslog is writing iptables log messages to) gets rotated. The
filehandle is closed and reopened if the file shrinks or if the inode
changes. This strategy is borrowed from how the fwknop project deals
with the filesystem packet capture file.
- Updated install.pl to set the LC_ALL environmental variable to "C"
This should address some issues with installing psad on non-English
locale systems.
- Updated install.pl to be compatible with the rsyslog daemon, which is
commonly installed on Fedora 8 systems.

Property svn:eol-style set to native
Property svn:keywords set to Author Date Id Revision

Line
1	#
2	##############################################################################
3	#
4	# This is the configuration file for psad (the Port Scan Attack Detector).
5	# Normally this file gets installed at /etc/psad/psad.conf, but can be put
6	# anywhere in the filesystem and then the path can be specified on the
7	# command line argument "-c <file>" to psad. All three psad daemons (psad,
8	# kmsgsd, and psadwatchd) reference this config file.
9	#
10	# Each line has the form "<variable name> <value>;". Note the semi-
11	# colon after the <value>. All characters after the semicolon will be
12	# ignored to provide space for comments.
13	#
14	##############################################################################
15	#
16	# $Id$
17	#
18
19	### Supports multiple email addresses (as a comma separated
20	### list).
21	EMAIL_ADDRESSES root@localhost;
22
23	### Machine hostname
24	HOSTNAME _CHANGEME_;
25
26	### Specify the home and external networks. Note that by default the
27	### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
28	### all of the directly connected subnets and uses this information as
29	#@@ the HOME_NET variable.
30	HOME_NET any;
31	EXTERNAL_NET any;
32
33	### The FW_SEARCH_ALL variable controls has psad will parse iptables
34	### messages. If it is set to "Y" then psad will parse all iptables
35	### messages for evidence of scan activity. If it is set to "N" then
36	### psad will only parse those iptables messages that contain logging
37	### prefixes specified by the FW_MSG_SEARCH variable below. Logging
38	### prefixes are set with the --log-prefix command line option to iptables.
39	### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
40	### iptables messages that are logged out of a specific iptables chain
41	### (multiple strings can be searched for, see the comment above the
42	### FW_MSG_SEARCH variable below) or a specific logging rule for example.
43	### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
44	### to parse all iptables messages.
45	FW_SEARCH_ALL Y;
46
47	### The FW_MSG_SEARCH variable can be modified to look for logging messages
48	### that are specific to your firewall configuration (specified by the
49	### "--log-prefix" option. For example, if your firewall uses the
50	### string "Audit" for packets that have been blocked, then you could
51	### set FW_MSG_SEARCH to "Audit"; The default string to search for is
52	### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
53	### specify this variable multiple times to have psad search for multiple
54	### strings. For example to have psad search for the strings "Audit" and
55	### "Reject", you would use the following two lines:
56	#FW_MSG_SEARCH Audit;
57	#FW_MSG_SEARCH REJECT;
58	FW_MSG_SEARCH DROP;
59
60	### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
61	### variable accepts four possible values: syslogd, syslog-ng, ulogd,
62	### or metalog.
63	SYSLOG_DAEMON syslogd;
64
65	### Danger levels. These represent the total number of
66	### packets required for a scan to reach each danger level.
67	### A scan may also reach a danger level if the scan trips
68	### a signature or if the scanning ip is listed in
69	### auto_ips so a danger level is automatically
70	### assigned.
71	DANGER_LEVEL1 5; ### Number of packets.
72	DANGER_LEVEL2 15;
73	DANGER_LEVEL3 150;
74	DANGER_LEVEL4 1500;
75	DANGER_LEVEL5 10000;
76
77	### Set the interval (in seconds) psad will use to sleep before
78	### checking for new iptables log messages
79	CHECK_INTERVAL 5;
80
81	### Search for snort "sid" values generated by fwsnort
82	### or snort2iptables
83	SNORT_SID_STR SID;
84
85	### Set the minimum range of ports that must be scanned before
86	### psad will send an alert. The default is 1 so that at
87	### least two port must be scanned (p2-p1 >= 1). This can be set
88	### to 0 if you want psad to be extra paranoid, or 30000 if not.
89	PORT_RANGE_SCAN_THRESHOLD 1;
90
91	### If "Y", means that scans will never timeout. This is useful
92	### for catching scans that take place over long periods of time
93	### where the attacker is trying to slip beneath the IDS thresholds.
94	ENABLE_PERSISTENCE Y;
95
96	### This is used only if ENABLE_PERSISTENCE = "N";
97	SCAN_TIMEOUT 3600; ### seconds
98
99	### If "Y", means all signatures will be shown since
100	### the scan started instead of just the current ones.
101	SHOW_ALL_SIGNATURES N;
102
103	### Allow reporting methods to be enabled/restricted. This keyword can
104	### accept values of "nosyslog" (don't write any messages to syslog),
105	### "noemail" (don't send any email messages), or "ALL" (to generate both
106	### syslog and email messages). "ALL" is the default. Both "nosyslog"
107	### and "noemail" can be combined with a comma to disable all logging
108	### and alerting.
109	ALERTING_METHODS ALL;
110
111	### By default, psad acquires iptables log data from the /var/log/psad/fwdata
112	### file which is written to by kmsgsd. However, psad can just read an
113	### existing file that syslog writes iptables log data to (commonly
114	### /var/log/messages). On some systems, having syslog communicate log data
115	### to kmsgsd can be problematic (syslog configs and external factors such
116	### as Apparmor and SELinux can play a role here), so using this feature can
117	### simplify a psad deployment.
118	ENABLE_SYSLOG_FILE N;
119	IPT_WRITE_FWDATA N;
120	IPT_SYSLOG_FILE /var/log/messages;
121
122	### When enabled, this instructs psad to write the "msg" field
123	### associated with Snort rule matches to syslog.
124	ENABLE_SIG_MSG_SYSLOG Y;
125	SIG_MSG_SYSLOG_THRESHOLD 10;
126	SIG_SID_SYSLOG_THRESHOLD 10;
127
128	### TTL values are decremented depending on the number of hops
129	### the packet has taken before it hits the firewall. We will
130	### assume packets will not jump through more than 20 hops on
131	### average.
132	MAX_HOPS 20;
133
134	### Do not include any timestamp included within kernel logging
135	### messages (Ubuntu systems commonly have this)
136	IGNORE_KERNEL_TIMESTAMP Y;
137
138	### FIXME: try to mitigate the affects of the iptables connection
139	### tracking bug by ignoring tcp packets that have the ack bit set.
140	### Read the "BUGS" section of the psad man page. Note that
141	### if a packet matches a snort SID generated by fwsnort (see
142	### http://www.cipherdyne.org/fwsnort/)
143	### then psad will see it even if the ack bit is set. See the
144	### SNORT_SID_STR variable.
145	IGNORE_CONNTRACK_BUG_PKTS Y;
146
147	### define a set of ports to ignore (this is useful particularly
148	### for port knocking applications since the knock sequence will
149	### look to psad like a scan). This variable may be defined as
150	### a comma-separated list of port numbers or port ranges and
151	### corresponding protocol, For example, to have psad ignore all
152	### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
153	### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
154	IGNORE_PORTS NONE;
155
156	### allow entire protocols to be ignored. This keyword can accept
157	### a comma separated list of protocols. Each protocol must match
158	### the protocol that is specified in a Netfilter log message (case
159	### insensitively, so both "TCP" or "tcp" is ok).
160	### IGNORE_PROTOCOL tcp,udp;
161	IGNORE_PROTOCOLS NONE;
162
163	### allow packets to be ignored based on interface (this is the
164	### "IN" interface in Nefilter logging messages).
165	IGNORE_INTERFACES NONE;
166
167	### Ignore these specific logging prefixes
168	IGNORE_LOG_PREFIXES NONE;
169
170	### Minimum danger level a scan must reach before any logging or
171	### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
172	### only refers to email alerts; the MIN_DANGER_LEVEL variable
173	### applies to everything from email alerts to whether or not the
174	### IP directory is created within /var/log/psad/. Hence
175	### MIN_DANGER_LEVEL should be set less than or equal to the value
176	### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
177	MIN_DANGER_LEVEL 1;
178
179	### Only send email alert if danger level >= to this value.
180	EMAIL_ALERT_DANGER_LEVEL 1;
181
182	### Treat all subnets on local interfaces as part of HOME_NET (this
183	### means that these networks do not have to be manually defined)
184	ENABLE_INTF_LOCAL_NETS Y;
185
186	### Include MAC addresses in email alert
187	ENABLE_MAC_ADDR_REPORTING N;
188
189	### Look for the Netfilter logging rule (fwcheck_psad is executed)
190	ENABLE_FW_LOGGING_CHECK Y;
191
192	### Send no more than this number of emails for a single
193	### scanning source IP. Note that enabling this feature may cause
194	### alerts for real attacks to not be generated if an attack is sent
195	### after the email threshold has been reached for an IP address.
196	### This is why the default is set to "0".
197	EMAIL_LIMIT 0;
198
199	### By default, psad maintains a counter for each scanning source address,
200	### but by enabling this variable psad will maintain email counters for
201	### each victim address that is scanned as well.
202	ENABLE_EMAIL_LIMIT_PER_DST N;
203
204	### If "Y", send a status email message when an IP has reached the
205	### EMAIL_LIMIT threshold.
206	EMAIL_LIMIT_STATUS_MSG Y;
207
208	### If "Y", send email for all newly logged packets from the same
209	### source ip instead of just when a danger level increases.
210	ALERT_ALL Y;
211
212	### If "Y", then psad will import old scan source ip directories
213	### as current scans instead of moving the directories into the
214	### archive directory.
215	IMPORT_OLD_SCANS N;
216
217	### syslog facility and priority (the defaults are usually ok)
218	### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
219	### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
220	### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
221	SYSLOG_IDENTITY psad;
222	SYSLOG_FACILITY LOG_LOCAL7;
223	SYSLOG_PRIORITY LOG_INFO;
224
225	### Port thresholds for logging and -S and -A output.
226	TOP_PORTS_LOG_THRESHOLD 500;
227	STATUS_PORTS_THRESHOLD 20;
228
229	### Signature thresholds for logging and -S and -A output.
230	TOP_SIGS_LOG_THRESHOLD 500;
231	STATUS_SIGS_THRESHOLD 50;
232
233	### Attackers thresholds for logging and -S and -A output.
234	TOP_IP_LOG_THRESHOLD 500;
235	STATUS_IP_THRESHOLD 25;
236
237	### Specify how often to log the TOP_* information (i.e. how many
238	### CHECK_INTERVAL iterations before the data is logged again).
239	TOP_SCANS_CTR_THRESHOLD 1;
240
241	### Send scan logs to dshield.org. This is disabled by default,
242	### but is a good idea to enable it (subject to your site security
243	### policy) since the DShield service helps to track the bad guys.
244	### For more information visit http://www.dshield.org
245	ENABLE_DSHIELD_ALERTS N;
246
247	### dshield.org alert email address; this should not be changed
248	### unless the guys at DShield have changed it.
249	DSHIELD_ALERT_EMAIL reports@dshield.org;
250
251	### Time interval (hours) to send email alerts to dshield.org.
252	### The default is 6 hours, and cannot be less than 1 hour or
253	### more than 24 hours.
254	DSHIELD_ALERT_INTERVAL 6; ### hours
255
256	### If you have a DShield user id you can set it here. The
257	### default is "0".
258	DSHIELD_USER_ID 0;
259
260	### If you want the outbound DShield email to appear as though it
261	### is coming from a particular user address then set it here.
262	DSHIELD_USER_EMAIL NONE;
263
264	### Threshold danger level for DShield data; a scan must reach this
265	### danger level before associated packets will be included in an
266	### alert to DShield. Note that zero is the default since this
267	### will allow DShield to apply its own logic to determine what
268	### constitutes a scan (_all_ iptables log messages will be included
269	### in DShield email alerts).
270	DSHIELD_DL_THRESHOLD 0;
271
272	### List of servers. Fwsnort supports the same variable resolution as
273	#### Snort.
274	HTTP_SERVERS $HOME_NET;
275	SMTP_SERVERS $HOME_NET;
276	DNS_SERVERS $HOME_NET;
277	SQL_SERVERS $HOME_NET;
278	TELNET_SERVERS $HOME_NET;
279
280	#### AOL AIM server nets
281	AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
282
283	### Configurable port numbers
284	HTTP_PORTS 80;
285	SHELLCODE_PORTS !80;
286	ORACLE_PORTS 1521;
287
288	### If this is enabled, then psad will die if a rule in the
289	### /etc/psad/signatures file contains an unsupported option (otherwise
290	### a syslog warning will be generated).
291	ENABLE_SNORT_SIG_STRICT Y;
292
293	### If "Y", enable automated IDS response (auto manages
294	### firewall rulesets).
295	ENABLE_AUTO_IDS N;
296
297	### Block all traffic from offending IP if danger
298	### level >= to this value
299	AUTO_IDS_DANGER_LEVEL 5;
300
301	### Set the auto-blocked timeout in seconds (the default
302	### is one hour).
303	AUTO_BLOCK_TIMEOUT 3600;
304
305	### Enable regex checking on log prefixes for active response
306	ENABLE_AUTO_IDS_REGEX N;
307
308	### Only block if the Netfilter log message matches the following regex
309	AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
310
311	### Control whether "renew" auto-block emails get sent. This is disabled
312	### by default because lots of IPs could have been blocked, and psad
313	### should not generate a renew email for each of them.
314	ENABLE_RENEW_BLOCK_EMAILS N;
315
316	### By setting this variable to N, all auto-blocking emails can be
317	### suppressed.
318	ENABLE_AUTO_IDS_EMAILS Y;
319
320	### Enable iptables blocking (only gets enabled if
321	### ENABLE_AUTO_IDS is also set)
322	IPTABLES_BLOCK_METHOD Y;
323
324	### Specify chain names to which iptables blocking rules will be
325	### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
326	### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
327	### to add an additional IPT_AUTO_CHAIN requirement. The format for this
328	### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
329	### <To_chain>,<Rule_position>.
330	### "Target": Can be any legitimate Netfilter target, but should usually
331	### just be "DROP".
332	### "Direction": Can be "src", "dst", or "both", which correspond to the
333	### INPUT, OUTPUT, and FORWARD chains.
334	### "Table": Can be any Netfilter table, but the default is "filter".
335	### "From_chain": Is the chain from which packets will be jumped.
336	### "Jump_rule_position": Defines the position within the From_chain where
337	### the jump rule is added.
338	### "To_chain": Is the chain to which packets will be jumped. This is the
339	### main chain where psad rules are added.
340	### "Rule_position": Defines the position where rule are added within the
341	### To_chain.
342	###
343	### The following defaults make sense for most installations, but note
344	### it is possible to include blocking rules in, say, the "nat" table
345	### using this functionality as well. The following three lines provide
346	### usage examples:
347	#IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
348	#IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
349	#IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
350	IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
351	IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
352	IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
353
354	### Flush all existing rules in the psad chains at psad start time.
355	FLUSH_IPT_AT_INIT Y;
356
357	### Prerequisite check for existence of psad chains and jump rules
358	IPTABLES_PREREQ_CHECK 1;
359
360	### Enable tcp wrappers blocking (only gets enabled if
361	### ENABLE_AUTO_IDS is also set)
362	TCPWRAPPERS_BLOCK_METHOD N;
363
364	### Set the whois timeout
365	WHOIS_TIMEOUT 60; ### seconds
366
367	### Set the number of times an ip can be seen before another whois
368	### lookup is issued.
369	WHOIS_LOOKUP_THRESHOLD 20;
370
371	### Set the number of times an ip can be seen before another dns
372	### lookup is issued.
373	DNS_LOOKUP_THRESHOLD 20;
374
375	### Enable psad to run an external script or program (use at your
376	### own risk!)
377	ENABLE_EXT_SCRIPT_EXEC N;
378
379	### Define an external program to run after a scan is caught.
380	### Note that the scan source ip can be specified on the command
381	### line to the external program through the use of the "SRCIP"
382	### string (along with some appropriate switch for the program).
383	### Of course this is only useful if the external program knows
384	### what to do with this information.
385	### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
386	EXTERNAL_SCRIPT /bin/true;
387
388	### Control execution of EXTERNAL_SCRIPT (only once per IP, or
389	### every time a scan is detected for an ip).
390	EXEC_EXT_SCRIPT_PER_ALERT N;
391
392	### Disk usage variables
393	DISK_CHECK_INTERVAL 300; ### seconds
394
395	### This can be set to 0 to disable disk checking altogether
396	DISK_MAX_PERCENTAGE 95;
397
398	### This can be set to 0 to have psad not place any limit on the
399	### number of times it will attempt to remove data from
400	### /var/log/psad/.
401	DISK_MAX_RM_RETRIES 10;
402
403	### Enable archiving of old scan directories at psad startup.
404	ENABLE_SCAN_ARCHIVE N;
405
406	### Truncate fwdata file at startup
407	TRUNCATE_FWDATA Y;
408
409	### Only archive scanning IP directories that have reached a danger
410	### level greater than or equal to this value. Archiving old
411	### scanning ip directories only takes place at psad startup.
412	MIN_ARCHIVE_DANGER_LEVEL 1;
413
414	### Email subject line config. Change these prefixes if you want
415	### psad to generate email alerts that say something other than
416	### the following.
417	MAIL_ALERT_PREFIX [psad-alert];
418	MAIL_STATUS_PREFIX [psad-status];
419	MAIL_ERROR_PREFIX [psad-error];
420	MAIL_FATAL_PREFIX [psad-fatal];
421
422	### URL for getting the latest psad signatures
423	SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
424
425	### These next two are psadwatchd vars
426	PSADWATCHD_CHECK_INTERVAL 5; ### seconds
427	PSADWATCHD_MAX_RETRIES 10;
428
429	### Directories
430	PSAD_DIR /var/log/psad;
431	PSAD_RUN_DIR /var/run/psad;
432	PSAD_FIFO_DIR /var/lib/psad;
433	PSAD_LIBS_DIR /usr/lib/psad;
434	PSAD_CONF_DIR /etc/psad;
435	PSAD_ERR_DIR $PSAD_DIR/errs;
436	CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
437	SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
438	ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
439	SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
440
441	### Files
442	FW_DATA_FILE $PSAD_DIR/fwdata;
443	ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
444	FW_CHECK_FILE $PSAD_DIR/fw_check;
445	DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
446	SIGS_FILE $PSAD_CONF_DIR/signatures;
447	ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
448	AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
449	SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
450	POSF_FILE $PSAD_CONF_DIR/posf;
451	P0F_FILE $PSAD_CONF_DIR/pf.os;
452	IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
453	PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
454	ETC_HOSTS_DENY_FILE /etc/hosts.deny;
455	ETC_SYSLOG_CONF /etc/syslog.conf;
456	ETC_RSYSLOG_CONF /etc/rsyslog.conf;
457	ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
458	ETC_METALOG_CONF /etc/metalog/metalog.conf;
459	STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
460	ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
461	INSTALL_LOG_FILE $PSAD_DIR/install.log;
462
463	### PID files
464	PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
465	PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
466	KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
467	PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
468
469	### List of ips that have been auto blocked by iptables
470	### or tcpwrappers (the auto blocking feature is disabled by
471	### default, see the psad man page and the ENABLE_AUTO_IDS
472	### variable).
473	AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
474	AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
475
476	### File used internally by psad to add Netfilter blocking
477	### rules to a running psad process
478	AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
479
480	FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
481	PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
482
483	### /proc interface for controlling ip forwarding
484	PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
485
486	### Packet counters for tcp, udp, and icmp protocols
487	PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
488
489	### Top scanned ports
490	TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
491
492	### Top signature matches
493	TOP_SIGS_FILE $PSAD_DIR/top_sigs;
494
495	### Top attackers
496	TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
497
498	### Counter file for Dshield alerts
499	DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
500
501	### Counter file for iptables prefixes
502	IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
503
504	### iptables command output and error collection files; these are
505	### used by IPTables::ChainMgr
506	IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
507	IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
508
509	### system binaries
510	iptablesCmd /sbin/iptables;
511	shCmd /bin/sh;
512	wgetCmd /usr/bin/wget;
513	gzipCmd /bin/gzip;
514	mknodCmd /bin/mknod;
515	psCmd /bin/ps;
516	mailCmd /bin/mail;
517	sendmailCmd /usr/sbin/sendmail;
518	ifconfigCmd /sbin/ifconfig;
519	killallCmd /usr/bin/killall;
520	netstatCmd /bin/netstat;
521	unameCmd /bin/uname;
522	whoisCmd /usr/bin/whois_psad;
523	dfCmd /bin/df;
524	fwcheck_psadCmd /usr/sbin/fwcheck_psad;
525	psadwatchdCmd /usr/sbin/psadwatchd;
526	kmsgsdCmd /usr/sbin/kmsgsd;
527	psadCmd /usr/sbin/psad;

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format