Changeset 2238

Timestamp:

08/29/08 00:09:32 (3 months ago)

Author:

mbr

Message:

dash fixes from Franck

Files:

• psad/trunk/CREDITS (modified) (1 diff)
• psad/trunk/psad.8 (modified) (23 diffs)

psad/trunk/CREDITS

@@ -390 +390 @@
-    - Suggested moving dependencies into the deps/ directory to build a common
-      architecture for bundling the cipherdyne.org projects for Debian.
+    - Submitted patches for documentation fixes in various psad man pages.
-
-Erik Heidt

psad/trunk/psad.8

@@ -74 +74 @@
-.B /var/log/psad/fwdata
-is parsed for old scans, but any file can be specified through the use
--
+\-\
-to point psad at your
-.B /var/log/messages
@@ -139 +139 @@
-.BR \-m "\fR,\fP " \-\^\-messages-file\ \<file>
-This option is used to specify the file that will be parsed in analysis
--
+\-\
-data file
-.B /var/log/psad/fwdata.
@@ -187 +187 @@
-.BR \-B ", " \-\^\-Benchmark
-Run psad in benchmark mode.  By default benchmark mode will simulate
--
+\-\
-the elapsed time.  This is useful to see how fast psad can process
-packets on a specific machine.
@@ -209 +209 @@
-can be made to
-override this path by specifying a different file on the command
--
+\-\
-.TP
-.BR \-\^\-signatures\ \<signatures-file>
@@ -223 +223 @@
-system.  New signatures can be included and modifications to existing
-signatures can be made to the signature file and psad will import
--
+\-\
-option) without having to restart the psad process.
-.B psad
@@ -230 +230 @@
-.TP
-.BR \-e ", " \-\^\-email-analysis
--
--
+\-\
+\-\
-of psad by quite a bit since normally both DNS and whois lookups will be issued
-against each scanning IP address.  As usual these lookups can be disabled with
---no-rdns and -
+\-\-no-rdns and \-\
-.TP
-.BR \-w ", " \-\^\-whois-analysis
-By default
-.B psad
--
--
+\-\
+\-\
-and instruct psad to issue whois lookups against IP addresses from which scans
-or other suspect traffic has originated.
@@ -281 +281 @@
-can be made to
-override this path by specifying a different file on the command
--
+\-\
-.TP
-.BR \-\^\-fw-list-auto
@@ -296 +296 @@
-.B psad
-will not delete the auto-generated iptables chains (see the IPT_AUTO_CHAIN
---Flush option is given.  The -
+\-\-Flush option is given.  The \-\
-option overrides this behavior and deletes the auto-blocking chains from a
-running iptables firewall.
@@ -306 +306 @@
-system.  All IP addresses are removed from the resulting output, so it is
-safe to post to the psad list, or communicate to others.  This option is
--
+\-\
-.TP
-.BR \-\^\-fw-block-ip\ \<ip>
@@ -375 +375 @@
-a .gnu file by convention).  Normally
-.B psad builds all of the graphing directives based on various --gnuplot
--
+\-\
-override this behavior.
-.TP
@@ -454 +454 @@
-will write these message to
-.B /var/log/psad/errs/fwerrorlog
--
+\-\
-all such erroneous firewall messages.
-.TP
-.BR \-\^\-no-whois
-By default psad will issue a whois query against any IP from which
--
+\-\
-command line argument.
-.TP
@@ -467 +467 @@
-whether or not the firewall has a compatible configuration (i.e.
-iptables has been configured to log packets).  Passing the
---no-fwcheck or -
+\-\-no-fwcheck or \-\
-.TP
-.BR \-\^\-no-auto-dl
@@ -492 +492 @@
-By default psad will attempt to passively (i.e. without sending
-any packets) fingerprint the remote operating system from which
--
+\-\
-disable this feature.
-.TP
@@ -499 +499 @@
-normally attempts to find the name associated with a
-scanning IP address, but this feature can be disabled with
--
+\-\
-.TP
-.BR \-\^\-no-kmsgsd
@@ -511 +511 @@
-By default for iptables firewalls psad will determine whether
-or not your machine is listening on a port for which a TCP
--
+\-\
-disables this feature.
-.TP
@@ -531 +531 @@
-employ to parse iptables messages.  Using configuration directive within
-this file, psad can be configured to parse all iptables messages or only
--
+\-\
-to iptables).
-.RE
@@ -553 +553 @@
-.B /etc/psad/snort_rules/*.rules
-.RS
--
+\-\
-commmand line argument is given.
-.RE
@@ -623 +623 @@
-scan activity.  However, if FW_SEARCH_ALL is set to "N", psad
-will only parse those iptables log messages that match certain search
--
+\-\
-useful for restricting psad to only operate on specific iptables chains or
-rules.  The strings that will be searched for are defined with the FW_MSG_SEARCH
@@ -635 +635 @@
-uses to identify iptables messages that should be parsed for scan activity.
-These search strings should match the log prefix strings specified
--
+\-\
-for FW_MSG_SEARCH is "DROP".  Note that
-.B psad
@@ -796 +796 @@
-to analyzing the
-.B /var/log/messages
-
+\
-.PP
-.B # psad -A -m <iptables logfile>
@@ -836 +836 @@
-allowed should be blocked by the firewall ruleset.  By default, psad attempts
-to determine whether or not the firewall has been configured in this way.  This
---no-fwcheck or -
--
+\-\-no-fwcheck or \-\
+\-\
-that is separate from the firewall.  For more information on compatible iptables
-rulesets, see the
@@ -853 +853 @@
-this file.
-.SH DIAGNOSTICS
--
+\-\
-about the psad data structures on STDOUT as a scan generates firewall
--
+\-\
-.PP
-Another more effective way to peer into the runtime execution of psad
@@ -886 +886 @@
-always welcome as well.
-.PP
--
+
-module is loaded (or compiled into the kernel) and the firewall has been
-configured to keep state of connections, occasionally packets that are supposed