API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 1st, 2014
155
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.34 KB | None | 0 0
raw download clone embed print report
  1. #
  2. ##############################################################################
  3. #
  4. # This is the configuration file for psad (the Port Scan Attack Detector).
  5. # Normally this file gets installed at /etc/psad/psad.conf, but can be put
  6. # anywhere in the filesystem and then the path can be specified on the
  7. # command line argument "-c <file>" to psad. All three psad daemons (psad,
  8. # kmsgsd, and psadwatchd) reference this config file.
  9. #
  10. # Each line has the form "<variable name> <value>;". Note the semi-
  11. # colon after the <value>. All characters after the semicolon will be
  12. # ignored to provide space for comments.
  13. #
  14. ##############################################################################
  15. #
  16.  
  17. ### Supports multiple email addresses (as a comma separated
  18. ### list).
  19. EMAIL_ADDRESSES maz@blassie.eu;
  20.  
  21. ### Machine hostname
  22. HOSTNAME _CHANGEME_;
  23.  
  24. ### Specify the home and external networks. Note that by default the
  25. ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
  26. ### all of the directly connected subnets and uses this information as
  27. ### the HOME_NET variable.
  28. HOME_NET any;
  29. EXTERNAL_NET any;
  30.  
  31. ### The FW_SEARCH_ALL variable controls how psad will parse iptables
  32. ### messages. If it is set to "Y" then psad will parse all iptables
  33. ### messages for evidence of scan activity. If it is set to "N" then
  34. ### psad will only parse those iptables messages that contain logging
  35. ### prefixes specified by the FW_MSG_SEARCH variable below. Logging
  36. ### prefixes are set with the --log-prefix command line option to iptables.
  37. ### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
  38. ### iptables messages that are logged out of a specific iptables chain
  39. ### (multiple strings can be searched for, see the comment above the
  40. ### FW_MSG_SEARCH variable below) or a specific logging rule for example.
  41. ### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
  42. ### to parse all iptables messages.
  43. FW_SEARCH_ALL Y;
  44.  
  45. ### The FW_MSG_SEARCH variable can be modified to look for logging messages
  46. ### that are specific to your firewall configuration (specified by the
  47. ### "--log-prefix" option. For example, if your firewall uses the
  48. ### string "Audit" for packets that have been blocked, then you could
  49. ### set FW_MSG_SEARCH to "Audit"; The default string to search for is
  50. ### "DROP". Both psad and kmsgsd reference this file. NOTE: You can
  51. ### specify this variable multiple times to have psad search for multiple
  52. ### strings. For example to have psad search for the strings "Audit" and
  53. ### "Reject", you would use the following two lines:
  54. #FW_MSG_SEARCH Audit;
  55. #FW_MSG_SEARCH REJECT;
  56. FW_MSG_SEARCH DROP;
  57.  
  58. ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
  59. ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
  60. ### or metalog.
  61. SYSLOG_DAEMON syslogd;
  62.  
  63. ### What type of interface configuration do you use? Set this variable to
  64. ### "iproute2" if you want to use the iproute2 type configuration.
  65. ### iproute2 does not use aliases for multi-homed interfaces and
  66. ### ifconfig does not show secondary addresses for multi-homed interfaces.
  67. #IFCFGTYPE iproute2;
  68. IFCFGTYPE ifconfig;
  69.  
  70. ### Danger levels. These represent the total number of
  71. ### packets required for a scan to reach each danger level.
  72. ### A scan may also reach a danger level if the scan trips
  73. ### a signature or if the scanning ip is listed in
  74. ### auto_ips so a danger level is automatically
  75. ### assigned.
  76. DANGER_LEVEL1 5; ### Number of packets.
  77. DANGER_LEVEL2 15;
  78. DANGER_LEVEL3 150;
  79. DANGER_LEVEL4 1500;
  80. DANGER_LEVEL5 10000;
  81.  
  82. ### Set the interval (in seconds) psad will use to sleep before
  83. ### checking for new iptables log messages
  84. CHECK_INTERVAL 5;
  85.  
  86. ### Search for snort "sid" values generated by fwsnort
  87. ### or snort2iptables
  88. SNORT_SID_STR SID;
  89.  
  90. ### Set the minimum range of ports that must be scanned before
  91. ### psad will send an alert. The default is 1 so that at
  92. ### least two port must be scanned (p2-p1 >= 1). This can be set
  93. ### to 0 if you want psad to be extra paranoid, or 30000 if not.
  94. PORT_RANGE_SCAN_THRESHOLD 1;
  95.  
  96. ### If "Y", means that scans will never timeout. This is useful
  97. ### for catching scans that take place over long periods of time
  98. ### where the attacker is trying to slip beneath the IDS thresholds.
  99. ENABLE_PERSISTENCE Y;
  100.  
  101. ### This is used only if ENABLE_PERSISTENCE = "N";
  102. SCAN_TIMEOUT 3600; ### seconds
  103.  
  104. ### Specify how often to timeout old scan data relative to CHECK_INTERVAL
  105. ### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled.
  106. ### Note that for psad processes that have tracked a lot of scans, it is
  107. ### advisable to leave this threshold at the default value of 5 or greater
  108. ### because the scan tracking hash may be quite large.
  109. PERSISTENCE_CTR_THRESHOLD 5;
  110.  
  111. ### Limit the number of src->dst IP pairs that psad will track. The default
  112. ### is zero (i.e. unlimited), but if psad is running on a system with limited
  113. ### memory, this can be handy to restrict psad's memory usage. It is best to
  114. ### combine this option with disabling ENABLE_PERSISTENCE so that older scans
  115. ### are deleted and therefore newer scans will on average continue to be
  116. ### tracked. A good non-zero value is, say, 50000, but this will vary
  117. ### depending on available system memory.
  118. MAX_SCAN_IP_PAIRS 0;
  119.  
  120. ### If "Y", means all signatures will be shown since
  121. ### the scan started instead of just the current ones.
  122. SHOW_ALL_SIGNATURES N;
  123.  
  124. ### Allow reporting methods to be enabled/restricted. This keyword can
  125. ### accept values of "nosyslog" (don't write any messages to syslog),
  126. ### "noemail" (don't send any email messages), or "ALL" (to generate both
  127. ### syslog and email messages). "ALL" is the default. Both "nosyslog"
  128. ### and "noemail" can be combined with a comma to disable all logging
  129. ### and alerting.
  130. ALERTING_METHODS ALL;
  131.  
  132. ### By default, psad acquires iptables log data from the /var/log/messages
  133. ### file which the local syslog daemon (usually) writes iptables log messages
  134. ### to. If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
  135. ### reconfigures syslog to write iptables log data to the
  136. ### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
  137. ### written to the file /var/log/psad/fwdata for analysis by psad. On some
  138. ### systems, having syslog communicate log data to kmsgsd can be problematic
  139. ### (syslog configs and external factors such as Apparmor and SELinux can play
  140. ### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
  141. ### usually recommended.
  142. ENABLE_SYSLOG_FILE Y;
  143. IPT_WRITE_FWDATA Y;
  144. IPT_SYSLOG_FILE /var/log/messages;
  145.  
  146. ### When enabled, this instructs psad to write the "msg" field
  147. ### associated with Snort rule matches to syslog.
  148. ENABLE_SIG_MSG_SYSLOG Y;
  149. SIG_MSG_SYSLOG_THRESHOLD 10;
  150. SIG_SID_SYSLOG_THRESHOLD 10;
  151.  
  152. ### TTL values are decremented depending on the number of hops
  153. ### the packet has taken before it hits the firewall. We will
  154. ### assume packets will not jump through more than 20 hops on
  155. ### average.
  156. MAX_HOPS 20;
  157.  
  158. ### Do not include any timestamp included within kernel logging
  159. ### messages (Ubuntu systems commonly have this)
  160. IGNORE_KERNEL_TIMESTAMP Y;
  161.  
  162. ### FIXME: try to mitigate the affects of the iptables connection
  163. ### tracking bug by ignoring tcp packets that have the ack bit set.
  164. ### Read the "BUGS" section of the psad man page. Note that
  165. ### if a packet matches a snort SID generated by fwsnort (see
  166. ### http://www.cipherdyne.org/fwsnort/)
  167. ### then psad will see it even if the ack bit is set. See the
  168. ### SNORT_SID_STR variable.
  169. IGNORE_CONNTRACK_BUG_PKTS Y;
  170.  
  171. ### define a set of ports to ignore (this is useful particularly
  172. ### for port knocking applications since the knock sequence will
  173. ### look to psad like a scan). This variable may be defined as
  174. ### a comma-separated list of port numbers or port ranges and
  175. ### corresponding protocol, For example, to have psad ignore all
  176. ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
  177. ### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
  178. IGNORE_PORTS NONE;
  179.  
  180. ### allow entire protocols to be ignored. This keyword can accept
  181. ### a comma separated list of protocols. Each protocol must match
  182. ### the protocol that is specified in an iptables log message (case
  183. ### insensitively, so both "TCP" or "tcp" is ok).
  184. ### IGNORE_PROTOCOL tcp,udp;
  185. IGNORE_PROTOCOLS NONE;
  186.  
  187. ### allow packets to be ignored based on interface (this is the
  188. ### "IN" interface in iptables logging messages).
  189. IGNORE_INTERFACES NONE;
  190.  
  191. ### Ignore these specific logging prefixes
  192. IGNORE_LOG_PREFIXES NONE;
  193.  
  194. ### Minimum danger level a scan must reach before any logging or
  195. ### alerting is done. The EMAIL_ALERT_DANGER_LEVEL variable below
  196. ### only refers to email alerts; the MIN_DANGER_LEVEL variable
  197. ### applies to everything from email alerts to whether or not the
  198. ### IP directory is created within /var/log/psad/. Hence
  199. ### MIN_DANGER_LEVEL should be set less than or equal to the value
  200. ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
  201. MIN_DANGER_LEVEL 1;
  202.  
  203. ### Only send email alert if danger level >= to this value.
  204. EMAIL_ALERT_DANGER_LEVEL 1;
  205.  
  206. ### Enable detection of malicious activity that is delivered via IPv6. If
  207. ### ip6tables is not logging any traffic, then psad won't know anything
  208. ### about IPv6, or this variable can be set to "N" (this would be slightly
  209. ### faster if ip6tables isn't logging anything).
  210. ENABLE_IPV6_DETECTION Y;
  211.  
  212. ### Treat all subnets on local interfaces as part of HOME_NET (this
  213. ### means that these networks do not have to be manually defined)
  214. ENABLE_INTF_LOCAL_NETS Y;
  215.  
  216. ### Include MAC addresses in email alert
  217. ENABLE_MAC_ADDR_REPORTING N;
  218.  
  219. ### Look for the iptables logging rule (fwcheck_psad is executed)
  220. ENABLE_FW_LOGGING_CHECK Y;
  221.  
  222. ### Send no more than this number of emails for a single
  223. ### scanning source IP. Note that enabling this feature may cause
  224. ### alerts for real attacks to not be generated if an attack is sent
  225. ### after the email threshold has been reached for an IP address.
  226. ### This is why the default is set to "0".
  227. EMAIL_LIMIT 0;
  228.  
  229. ### By default, psad maintains a counter for each scanning source address,
  230. ### but by enabling this variable psad will maintain email counters for
  231. ### each victim address that is scanned as well.
  232. ENABLE_EMAIL_LIMIT_PER_DST N;
  233.  
  234. ### If "Y", send a status email message when an IP has reached the
  235. ### EMAIL_LIMIT threshold.
  236. EMAIL_LIMIT_STATUS_MSG Y;
  237.  
  238. ### If "Y", send email for all newly logged packets from the same
  239. ### source ip instead of just when a danger level increases.
  240. ALERT_ALL Y;
  241.  
  242. ### If "Y", then psad will import old scan source ip directories
  243. ### as current scans instead of moving the directories into the
  244. ### archive directory.
  245. IMPORT_OLD_SCANS N;
  246.  
  247. ### syslog facility and priority (the defaults are usually ok)
  248. ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
  249. ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
  250. ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
  251. SYSLOG_IDENTITY psad;
  252. SYSLOG_FACILITY LOG_LOCAL7;
  253. SYSLOG_PRIORITY LOG_INFO;
  254.  
  255. ### Port thresholds for logging and -S and -A output.
  256. TOP_PORTS_LOG_THRESHOLD 500;
  257. STATUS_PORTS_THRESHOLD 20;
  258.  
  259. ### Signature thresholds for logging and -S and -A output.
  260. TOP_SIGS_LOG_THRESHOLD 500;
  261. STATUS_SIGS_THRESHOLD 50;
  262.  
  263. ### Attackers thresholds for logging and -S and -A output.
  264. TOP_IP_LOG_THRESHOLD 500;
  265. STATUS_IP_THRESHOLD 25;
  266.  
  267. ### Specify how often to log the TOP_* information (i.e. how many
  268. ### CHECK_INTERVAL iterations before the data is logged again).
  269. TOP_SCANS_CTR_THRESHOLD 1;
  270.  
  271. ### Send scan logs to dshield.org. This is disabled by default,
  272. ### but is a good idea to enable it (subject to your site security
  273. ### policy) since the DShield service helps to track the bad guys.
  274. ### For more information visit http://www.dshield.org
  275. ENABLE_DSHIELD_ALERTS N;
  276.  
  277. ### dshield.org alert email address; this should not be changed
  278. ### unless the guys at DShield have changed it.
  279. DSHIELD_ALERT_EMAIL reports@dshield.org;
  280.  
  281. ### Time interval (hours) to send email alerts to dshield.org.
  282. ### The default is 6 hours, and cannot be less than 1 hour or
  283. ### more than 24 hours.
  284. DSHIELD_ALERT_INTERVAL 6; ### hours
  285.  
  286. ### If you have a DShield user id you can set it here. The
  287. ### default is "0".
  288. DSHIELD_USER_ID 0;
  289.  
  290. ### If you want the outbound DShield email to appear as though it
  291. ### is coming from a particular user address then set it here.
  292. DSHIELD_USER_EMAIL NONE;
  293.  
  294. ### Threshold danger level for DShield data; a scan must reach this
  295. ### danger level before associated packets will be included in an
  296. ### alert to DShield. Note that zero is the default since this
  297. ### will allow DShield to apply its own logic to determine what
  298. ### constitutes a scan (_all_ iptables log messages will be included
  299. ### in DShield email alerts).
  300. DSHIELD_DL_THRESHOLD 0;
  301.  
  302. ### List of servers. Fwsnort supports the same variable resolution as
  303. #### Snort.
  304. HTTP_SERVERS $HOME_NET;
  305. SMTP_SERVERS $HOME_NET;
  306. DNS_SERVERS $HOME_NET;
  307. SQL_SERVERS $HOME_NET;
  308. TELNET_SERVERS $HOME_NET;
  309.  
  310. #### AOL AIM server nets
  311. AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
  312.  
  313. ### Configurable port numbers
  314. HTTP_PORTS 80;
  315. SHELLCODE_PORTS !80;
  316. ORACLE_PORTS 1521;
  317.  
  318. ### If this is enabled, then psad will die if a rule in the
  319. ### /etc/psad/signatures file contains an unsupported option (otherwise
  320. ### a syslog warning will be generated).
  321. ENABLE_SNORT_SIG_STRICT Y;
  322.  
  323. ### If "Y", enable automated IDS response (auto manages
  324. ### firewall rulesets).
  325. ENABLE_AUTO_IDS N;
  326.  
  327. ### Block all traffic from offending IP if danger
  328. ### level >= to this value
  329. AUTO_IDS_DANGER_LEVEL 5;
  330.  
  331. ### Set the auto-blocked timeout in seconds (the default
  332. ### is one hour).
  333. AUTO_BLOCK_TIMEOUT 3600;
  334.  
  335. ### Enable regex checking on log prefixes for active response
  336. ENABLE_AUTO_IDS_REGEX N;
  337.  
  338. ### Only block if the iptables log message matches the following regex
  339. AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
  340.  
  341. ### Control whether "renew" auto-block emails get sent. This is disabled
  342. ### by default because lots of IPs could have been blocked, and psad
  343. ### should not generate a renew email for each of them.
  344. ENABLE_RENEW_BLOCK_EMAILS N;
  345.  
  346. ### By setting this variable to N, all auto-blocking emails can be
  347. ### suppressed.
  348. ENABLE_AUTO_IDS_EMAILS Y;
  349.  
  350. ### Enable iptables blocking (only gets enabled if
  351. ### ENABLE_AUTO_IDS is also set)
  352. IPTABLES_BLOCK_METHOD Y;
  353.  
  354. ### Specify chain names to which iptables blocking rules will be
  355. ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
  356. ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
  357. ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
  358. ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
  359. ### <To_chain>,<Rule_position>.
  360. ### "Target": Can be any legitimate iptables target, but should usually
  361. ### just be "DROP".
  362. ### "Direction": Can be "src", "dst", or "both", which correspond to the
  363. ### INPUT, OUTPUT, and FORWARD chains.
  364. ### "Table": Can be any iptables table, but the default is "filter".
  365. ### "From_chain": Is the chain from which packets will be jumped.
  366. ### "Jump_rule_position": Defines the position within the From_chain where
  367. ### the jump rule is added.
  368. ### "To_chain": Is the chain to which packets will be jumped. This is the
  369. ### main chain where psad rules are added.
  370. ### "Rule_position": Defines the position where rule are added within the
  371. ### To_chain.
  372. ###
  373. ### The following defaults make sense for most installations, but note
  374. ### it is possible to include blocking rules in, say, the "nat" table
  375. ### using this functionality as well. The following three lines provide
  376. ### usage examples:
  377. #IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
  378. #IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
  379. #IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
  380. IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
  381. IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
  382. IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
  383.  
  384. ### Flush all existing rules in the psad chains at psad start time.
  385. FLUSH_IPT_AT_INIT Y;
  386.  
  387. ### Prerequisite check for existence of psad chains and jump rules
  388. IPTABLES_PREREQ_CHECK 1;
  389.  
  390. ### Enable tcp wrappers blocking (only gets enabled if
  391. ### ENABLE_AUTO_IDS is also set)
  392. TCPWRAPPERS_BLOCK_METHOD N;
  393.  
  394. ### Set the whois timeout
  395. WHOIS_TIMEOUT 60; ### seconds
  396.  
  397. ### Set the number of times an ip can be seen before another whois
  398. ### lookup is issued.
  399. WHOIS_LOOKUP_THRESHOLD 20;
  400.  
  401. ### Use this option to force all whois information to contain ascii-only data.
  402. ### Sometime whois information for IP addresses in China and other countries
  403. ### can contain non-ascii data. If this option is enabled, then any non-
  404. ### ascii characters will be replaced with "NA".
  405. ENABLE_WHOIS_FORCE_ASCII N;
  406.  
  407. ### This variable forces all whois lookups to be done against the source IP
  408. ### even when they are associated with a directly connected local network. IT
  409. ### is usually a good idea to leave this setting as the default of 'N'.
  410. ENABLE_WHOIS_FORCE_SRC_IP N;
  411.  
  412. ### Set the number of times an ip can be seen before another dns
  413. ### lookup is issued.
  414. DNS_LOOKUP_THRESHOLD 20;
  415.  
  416. ### Enable psad to run an external script or program (use at your
  417. ### own risk!)
  418. ENABLE_EXT_SCRIPT_EXEC N;
  419.  
  420. ### Define an external program to run after a scan is caught.
  421. ### Note that the scan source ip can be specified on the command
  422. ### line to the external program through the use of the "SRCIP"
  423. ### string (along with some appropriate switch for the program).
  424. ### Of course this is only useful if the external program knows
  425. ### what to do with this information.
  426. ### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
  427. EXTERNAL_SCRIPT /bin/true;
  428.  
  429. ### Control execution of EXTERNAL_SCRIPT (only once per IP, or
  430. ### every time a scan is detected for an ip).
  431. EXEC_EXT_SCRIPT_PER_ALERT N;
  432.  
  433. ### Disk usage variables
  434. DISK_CHECK_INTERVAL 300; ### seconds
  435.  
  436. ### This can be set to 0 to disable disk checking altogether
  437. DISK_MAX_PERCENTAGE 95;
  438.  
  439. ### This can be set to 0 to have psad not place any limit on the
  440. ### number of times it will attempt to remove data from
  441. ### /var/log/psad/.
  442. DISK_MAX_RM_RETRIES 10;
  443.  
  444. ### Enable archiving of old scan directories at psad startup.
  445. ENABLE_SCAN_ARCHIVE N;
  446.  
  447. ### Truncate fwdata file at startup
  448. TRUNCATE_FWDATA Y;
  449.  
  450. ### Only archive scanning IP directories that have reached a danger
  451. ### level greater than or equal to this value. Archiving old
  452. ### scanning ip directories only takes place at psad startup.
  453. MIN_ARCHIVE_DANGER_LEVEL 1;
  454.  
  455. ### Email subject line config. Change these prefixes if you want
  456. ### psad to generate email alerts that say something other than
  457. ### the following.
  458. MAIL_ALERT_PREFIX [psad-alert];
  459. MAIL_STATUS_PREFIX [psad-status];
  460. MAIL_ERROR_PREFIX [psad-error];
  461. MAIL_FATAL_PREFIX [psad-fatal];
  462.  
  463. ### URL for getting the latest psad signatures
  464. SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
  465.  
  466. ### These next two are psadwatchd vars
  467. PSADWATCHD_CHECK_INTERVAL 5; ### seconds
  468. PSADWATCHD_MAX_RETRIES 10;
  469.  
  470. ### Directories
  471. INSTALL_ROOT /;
  472. PSAD_DIR $INSTALL_ROOT/var/log/psad;
  473. PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
  474. PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
  475. PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
  476. PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
  477. PSAD_ERR_DIR $PSAD_DIR/errs;
  478. CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
  479. SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
  480. ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
  481. SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
  482.  
  483. ### Files
  484. FW_DATA_FILE $PSAD_DIR/fwdata;
  485. ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
  486. FW_CHECK_FILE $PSAD_DIR/fw_check;
  487. DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
  488. SIGS_FILE $PSAD_CONF_DIR/signatures;
  489. ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
  490. ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
  491. AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
  492. SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
  493. POSF_FILE $PSAD_CONF_DIR/posf;
  494. P0F_FILE $PSAD_CONF_DIR/pf.os;
  495. IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
  496. PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
  497. ETC_HOSTS_DENY_FILE /etc/hosts.deny;
  498. ETC_SYSLOG_CONF /etc/syslog.conf;
  499. ETC_RSYSLOG_CONF /etc/rsyslog.conf;
  500. ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
  501. ETC_METALOG_CONF /etc/metalog/metalog.conf;
  502. STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
  503. ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
  504. INSTALL_LOG_FILE $PSAD_DIR/install.log;
  505.  
  506. ### PID files
  507. PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
  508. PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
  509. KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
  510. PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
  511.  
  512. ### List of ips that have been auto blocked by iptables
  513. ### or tcpwrappers (the auto blocking feature is disabled by
  514. ### default, see the psad man page and the ENABLE_AUTO_IDS
  515. ### variable).
  516. AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
  517. AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
  518.  
  519. ### File used internally by psad to add iptables blocking
  520. ### rules to a running psad process
  521. AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
  522.  
  523. FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
  524. PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
  525.  
  526. ### /proc interface for controlling ip forwarding
  527. PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
  528.  
  529. ### Packet counters for tcp, udp, and icmp protocols
  530. PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
  531.  
  532. ### Top scanned ports
  533. TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
  534.  
  535. ### Top signature matches
  536. TOP_SIGS_FILE $PSAD_DIR/top_sigs;
  537.  
  538. ### Top attackers
  539. TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
  540.  
  541. ### Counter file for Dshield alerts
  542. DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
  543.  
  544. ### Counter file for iptables prefixes
  545. IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
  546.  
  547. ### iptables command output and error collection files; these are
  548. ### used by IPTables::ChainMgr
  549. IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
  550. IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;
  551.  
  552. ### system binaries
  553. iptablesCmd /sbin/iptables;
  554. ip6tablesCmd /sbin/ip6tables;
  555. shCmd /bin/sh;
  556. wgetCmd /usr/bin/wget;
  557. gzipCmd /bin/gzip;
  558. mknodCmd /bin/mknod;
  559. psCmd /bin/ps;
  560. mailCmd /bin/mail;
  561. sendmailCmd /usr/sbin/sendmail;
  562. ifconfigCmd /sbin/ifconfig;
  563. ipCmd /sbin/ip;
  564. killallCmd /usr/bin/killall;
  565. netstatCmd /bin/netstat;
  566. unameCmd /bin/uname;
  567. whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
  568. dfCmd /bin/df;
  569. fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
  570. psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
  571. kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
  572. psadCmd $INSTALL_ROOT/usr/sbin/psad;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!