cipherdyne.org

Michael Rash, Security Researcher



psad Configuration Variables


Syntax

Configuration Variables in the psad configuration files (/etc/psad/psad.conf, /etc/psad/fw_search.conf, /etc/psad/kmsgsd.conf, and /etc/psad/psadwatchd.conf) follow a simple key/value scheme. For example, the WHOIS_TIMEOUT timeout keyword is defined as follows in /etc/psad/psad.conf:
WHOIS_TIMEOUT                       60;
Note that the value associated with each key is terminated by a semicolon. All lines that begin with a "#" are treated as comments. A comment may also be included on a line that contains a keyword as long as it appears after the ending semicolon and is preceeded by a "#". E.g.:
WHOIS_TIMEOUT                       60;    ### Seconds

Configuration Variables

The following keywords and associated defaults are defined by psad. All keywords are defined in /etc/psad/psad.conf unless otherwise noted. An example is given for each keyword in the text below.


EMAIL_ADDRESSES

EMAIL_ADDRESSES defines the email address to which psad should send scan alerts and status emails. Multiple email addresses are supported as a comma separated list. The default value is "root@localhost", but the psad installer prompts the user to change this at install time.
EMAIL_ADDRESSES                     you@domain1.com, you@domain2.com;

HOME_NET

HOME_NET specifies the home network. This variable is used to identify traffic that matches snort rules in the iptables FORWARD chain. Traffic that is directed to, or originates from, the firewall itself (i.e. in the INPUT or OUTPUT chains respectively) is treated as traffic to or from the HOME_NET by default and hence even if the HOME_NET variable is not defined, psad will still be able to detect matching scans. A syslog and email warning message will be generated if this variable is not defined. Normally the network(s) specified here should match directly networks on the local machine. Multiple networks are supported as a comma separated list. The network(s) should be specified in CIDR notation. NOTE: The HOME_NET variable is not used if there is only one network interface on the system (i.e. no traffic will be logged via iptables through the FORWARD chain). If there is only one network interface on the box, then just set this variable to "NOT_USED".
HOME_NET                            192.168.10.4/24;

SYSLOG_DAEMON

SYSLOG_DAEMON sets the type of syslog daemon that is used. Psad supports three different syslog daemons: syslogd, syslog-ng, and metalog. One of these maybe specified as an argument to the SYSLOG_DAEMON keyword. The default is "syslogd".
SYSLOG_DAEMON                       syslogd;

DANGER_LEVEL{n}

DANGER_LEVEL{1,2,3,4,5} sets the number of packets that must be seen in order to reach each danger level. Psad supports five danger levels, with 1 being the least severe and 5 being most severe. Scans are assigned a danger level based upon the thresholds defined by the DANGER_LEVEL{1,2,3,4,5} variables. Scans may also be assigned a danger level if a specific signature is matched (see: /etc/psad/signatures) or if the IP address from which the scan originates is automatically assigned a danger level (see: /etc/psad/auto_dl). The default values for the DANGER_LEVEL variables appear in the Example below:
DANGER_LEVEL1                       5;
DANGER_LEVEL2                       15;
DANGER_LEVEL3                       150;
DANGER_LEVEL4                       1500;
DANGER_LEVEL5                       10000;

PSAD_CHECK_INTERVAL

PSAD_CHECK_INTERVAL sets the number of seconds psad sleeps before checking for new iptables log messages. The default is 5 seconds.
PSAD_CHECK_INTERVAL                 5;

SNORT_SID_STR

SNORT_SID_STR instructs psad to for snort "sid" values generated by fwsnort or snort2iptables in iptables logging prefixes. The default is "SID" since fwsnort generates iptables logs that contain strings such as "SID940".
SNORT_SID_STR                       SID;

PORT_RANGE_SCAN_THRESHOLD

PORT_RANGE_SCAN_THRESHOLD defines the minimum range of ports that must be scanned before an email alert will be generated. For example, setting PORT_RANGE_SCAN_THRESHOLD to 1 would require that at least two different ports must be scanned before an alert is sent (i.e. an alert will not be generated if multiple scan packets are sent against the same port). Setting PORT_RANGE_SCAN_THRESHOLD to 0 is the most verbose setting and will cause psad to send alerts for any scan that involves at least the number of packets specified by DANGER_LEVEL1, even if such a scan only involves a single port. The default value for PORT_RANGE_SCAN_THRESHOLD is 1.
PORT_RANGE_SCAN_THRESHOLD           1;

ENABLE_PERSISTENCE

ENABLE_PERSISTENCE controls whether or not psad will allow scans to timeout. The default value is "Y", which means that scans will never timeout. This is useful for catching scans that take place over long periods of time where the attacker is trying to slip beneath the IDS detection thresholds.
ENABLE_PERSISTENCE                  Y;

SCAN_TIMEOUT

Defines the number of seconds psad will use to timeout scans (or other suspect traffic) associated with individual IP addresses. The default value is 3600 seconds (one hour). Note the SCAN_TIMEOUT is only used if ENABLE_PERSISTENCE is set to "N".
SCAN_TIMEOUT                        3600;

SHOW_ALL_SIGNATURES

If set to "Y" instructs psad to either include all scan signatures associated with an IP address in every new email alert for the IP. Note that this may result in long email alerts if an IP is persistantly hitting your site with suspicious traffic over a long period of time. SHOW_ALL_SIGNATURES is set to "N" by default and hence psad will only display alert information associate with new signatures.
SHOW_ALL_SIGNATURES                 N;

IGNORE_CONNTRACK_BUG_PKTS

Instructs psad to ignore TCP packets that have the ACK bit set. The reason for this stems from the fact that the TCP connection tracking code in the Linux kernel sets an inappropriately short timeout for acknowledgement packets associated with TCP sessions that have entered the CLOSE WAIT state. Note that TCP packets that trip application level inspection signatures as detected by fwsnort will still be alerted upon by psad since fwsnort generates iptables logging prefixes such as "SID940" which are parsed first by psad. The default value for IGNORE_CONNTRACK_BUG_PKTS is "Y".
IGNORE_CONNTRACK_BUG_PKTS            Y;

IGNORE_PORTS

Defines a set TCP and/or UDP ports that psad should ignore even if suspicious traffic is logged over these ports. Both port ranges and individual TCP and UDP ports can be specified. This keyword adds a degree of configurability to psad in an effort to compensate for an iptables policy that may not be ideally configured (i.e. generating logs for traffic it shouldn't), or for applications such as port knocking schemes (see: fwknop) that generate traffic that is essentially indestinguishable from port scans. The default value for IGNORE_PORTS is "NONE".
IGNORE_PORTS                        tcp/61000-61356, udp/53, udp/5000;

EMAIL_ALERT_DANGER_LEVEL

Defines the minimum danger level a scan must reach before an email alert will be generated by psad. The default value for EMAIL_ALERT_DANGER_LEVEL is "1".
EMAIL_ALERT_DANGER_LEVEL            1;

PSAD_EMAIL_LIMIT

Defines the maximum number of emails that will be sent for an individual IP address. The default is "0" which instructs psad to not set any limit for the number of email alerts that it will send for a particular IP address. Normally if an IP is causing psad to generate hundreds of alert emails there is a misconfiguration in either the iptables policy or in the manner in which the network is being utilized by the IP. Note that enabling this feature by setting PSAD_EMAIL_LIMIT to some value greater than "0" may cause alerts for real attacks to not be generated if an attack is sent after the email threshold has been reached for an IP address.
PSAD_EMAIL_LIMIT                    100;

EMAIL_LIMIT_STATUS_MSG

If set to "Y" will instruct psad to send a status email message whenever an IP address has reached the PSAD_EMAIL_LIMIT threshold. The default is "Y".
EMAIL_LIMIT_STATUS_MSG              Y;

ALERT_ALL

If set to "Y" instructs psad to send email alerts for any new suspect traffic from a particular IP address instead of just when the IP reaches a new danger level. The default for ALERT_ALL is "Y"
ALERT_ALL                           Y;

IMPORT_OLD_SCANS

If set to "Y" instructs psad to import any old scan data in /var/log/psad from a previously running psad process. This allows scan data to persist across restarts of psad or even a system reboot. The default value for IMPORT_OLD_SCANS is "N".
IMPORT_OLD_SCANS                    Y;

ENABLE_DSHIELD_ALERTS

If set to "Y" will allow psad to send scan data to the DShield distributed IDS. Security data is usually considered sensitive by system administrators so ENABLE_DSHIELD_ALERTS is set to "N" by default, but DShield genuienly provides a useful service to people who are concerned about network security and so enabling this feature is helpful to the community. See dshield.org for more information.
ENABLE_DSHIELD_ALERTS               Y;

DSHIELD_ALERT_EMAIL

Defines the email address to which DShield alerts will be sent if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword). The default value is "reports@dshield.org" and should only be changed if the DShield reporting address changes.
DSHIELD_ALERT_EMAIL                 reports@dshield.org;

DSHIELD_ALERT_INTERVAL

Defines the number of hours between successive DShield email alerts that are generated by psad. The default value is 6 hours, but should not be set to anything less than 1 hour or greater than 24 hours. This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_ALERT_INTERVAL              6;

DSHIELD_USER_ID

Is used to define a DShield user id (requires free registration at dshield.org). The default is "0" which allows psad to send scan information to the DShield distributed IDS anonymously (that is in the sense that the scan data will not be associated with any particular DShield user id). This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_ID                     6;

DSHIELD_USER_EMAIL

Defines the source email address that will be used to send scan data to the DShield distributed IDS. The default is "NONE" which allows psad to send scan information to DShield from the same source email address that is used by psad to send normal scan alerts. This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_EMAIL                  you@somedomain.com;

DSHIELD_DL_THRESHOLD

Defines a threshold danger level before scan data will be included in email alerts to DShield. The default is "0" since this will allow DShield to apply its own logic to determine what constitutes a scan (i.e. _all_ iptables log messages will be included in DShield email alerts with DSHIELD_DL_THRESHOLD set to "0"). This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_DL_THRESHOLD                2;

ENABLE_AUTO_IDS

If set to "Y" instructs psad to automatically block IP addresses from which scans or other suspect traffic originate. The default is "N" since enabling this feature may cause network connectivity problems if the underlying iptables policy is not tuned correctly (for example if it is logging legitmate DNS response traffic), or if an attacker discovers that the auto-blocking feature is enabled and then proceeds to spoof scans from your favorite websites or your upstream router. Psad supports "whitelisting" IP addresses via the file /etc/psad/auto_dl so that psad will never add block rules for IP addresses listed in this file that have an auto-danger level set to "0". Incidently the /etc/psad/auto_dl file can also be used to automatically elevate the danger level associated with a scan that originates from a specific IP address and/or IP contained within a matching network.
ENABLE_AUTO_IDS                     Y;

AUTO_IDS_DANGER_LEVEL

Sets a threshold on the minimum danger level a scan must reach before psad will automatically block the offending IP address (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default is "5" which is the highest danger level assigned by psad to any scan.
AUTO_IDS_DANGER_LEVEL               5;

AUTO_BLOCK_TIMEOUT

Defines the length of time that an auto-generated block rule will remain in effect (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default is "3600" seconds (one hour).
AUTO_BLOCK_TIMEOUT                  3600;

IPTABLES_BLOCK_METHOD

Instructs psad to block IP addresses with iptables (if ENABLE_AUTO_IDS is set to "Y"). Blocking via iptables is more effective and more secure than blocking via tcpwrappers since packets are intercepted in the kernel before having an opportunity to talk to any user-land daemon, and hence this is the preferred method of constructing auto-blocking rules. The default value for IPTABLES_BLOCK_METHOD is "Y".
IPTABLES_BLOCK_METHOD               Y;

IPTABLES_AUTO_RULENUM

Defines the specific rule number that psad will use to add auto-generated iptables blocking rules in the INPUT, OUTPUT, and FORWARD chains (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default value is "1".
IPTABLES_AUTO_RULENUM               1;

TCPWRAPPERS_BLOCK_METHOD

Instructs psad to block IP addresses with tcpwrappers (if ENABLE_AUTO_IDS is set to "Y"). Blocking via tcpwrappers is less effective than using iptables directly (see the IPTABLES_BLOCK_METHOD keyword above), so the default value for TCPWRAPPERS_BLOCK_METHOD is "N".
TCPWRAPPERS_BLOCK_METHOD            N;

WHOIS_TIMEOUT

Defines the timeout that psad will use when issuing whois lookups against scanning IP addresses. The default is 60 seconds. Note that whois lookups can be disabled altogether via the --no-whois command line argument.
WHOIS_TIMEOUT                       60;

WHOIS_LOOKUP_THRESHOLD

Defines the number of times a scanning IP address can be seen before an additional whois lookup will be issued. The motivation for this keyword comes from the fact that IP to whois information mappings will not change very often. The default value for WHOIS_LOOKUP_THRESHOLD is 20. Note that whois lookups can be disabled altogether via the --no-whois command line argument.
WHOIS_LOOKUP_THRESHOLD              20;

DNS_LOOKUP_THRESHOLD

Defines the number of times a scanning IP address can be seen before an additional reverse DNS lookup will be issued. The motivation for this keyword comes from the fact that IP to host DNS mappings will not change very often. The default value for DNS_LOOKUP_THRESHOLD is 20. Note that reverse DNS lookups can be disabled altogether via the --no-rdns command line argument.
DNS_LOOKUP_THRESHOLD                20;

ENABLE_EXT_SCRIPT_EXEC

Intructs psad to execute an external script when a scan is detected. This feature is disabled by default; use at your own risk!
ENABLE_EXT_SCRIPT_EXEC              N;

EXTERNAL_SCRIPT

Provides a path to an external script or program that psad should execute upon detecting a scan from an IP address. Note that the scan source IP can be specified on the command line to the external program through the use of the "SRCIP" string (along with some appropriate switch for the program). Of course this is only useful if the external program knows what to do with this information. This keyword is only used if ENABLE_EXT_SCRIPT_EXEC is set to "Y", and the default value is "/bin/true".
EXTERNAL_SCRIPT                     /path/to/script --ip SRCIP -v;

EXEC_EXT_SCRIPT_PER_ALERT

If set to "Y" psad to external an external script or program every time an email alert is generated for a particular IP address (see the EXTERNAL_SCRIPT keyword above). This keyword is only used if ENABLE_EXT_SCRIPT_EXEC is set to "Y", and the default value is "N" (which would have psad run the external script only once for each scanning IP address).
EXEC_EXT_SCRIPT_PER_ALERT           N;