Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Oct 13th, 2011  |  syntax: Perl  |  size: 22.72 KB  |  views: 70  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #
  2. ##############################################################################
  3. #
  4. #  This is the configuration file for psad (the Port Scan Attack Detector).
  5. #  Normally this file gets installed at /etc/psad/psad.conf, but can be put
  6. #  anywhere in the filesystem and then the path can be specified on the
  7. #  command line argument "-c <file>" to psad.  All three psad daemons (psad,
  8. #  kmsgsd, and psadwatchd) reference this config file.
  9. #
  10. #  Each line has the form  "<variable name>    <value>;".  Note the semi-
  11. #  colon after the <value>.  All characters after the semicolon will be
  12. #  ignored to provide space for comments.
  13. #
  14. ##############################################################################
  15. #
  16. # $Id: psad.conf 2297 2010-07-14 21:02:07Z mbr $
  17. #
  18.  
  19. ### Supports multiple email addresses (as a comma separated
  20. ### list).
  21. EMAIL_ADDRESSES             my_email_addr@example.org;
  22.  
  23. ### Machine hostname
  24. HOSTNAME                    my_host_name;
  25.  
  26. ### Specify the home and external networks.  Note that by default the
  27. ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
  28. ### all of the directly connected subnets and uses this information as
  29. ### the HOME_NET variable.
  30. HOME_NET                    any;
  31. EXTERNAL_NET                any;
  32.  
  33. ### The FW_SEARCH_ALL variable controls has psad will parse iptables
  34. ### messages.  If it is set to "Y" then psad will parse all iptables
  35. ### messages for evidence of scan activity.  If it is set to "N" then
  36. ### psad will only parse those iptables messages that contain logging
  37. ### prefixes specified by the FW_MSG_SEARCH variable below.  Logging
  38. ### prefixes are set with the --log-prefix command line option to iptables.
  39. ### Setting FW_SEARCH_ALL to "N" is useful for having psad only analyze
  40. ### iptables messages that are logged out of a specific iptables chain
  41. ### (multiple strings can be searched for, see the comment above the
  42. ### FW_MSG_SEARCH variable below) or a specific logging rule for example.
  43. ### FW_SEARCH_ALL is set to "Y" by default since usually people want psad
  44. ### to parse all iptables messages.
  45. FW_SEARCH_ALL               Y;
  46.  
  47. ### The FW_MSG_SEARCH variable can be modified to look for logging messages
  48. ### that are specific to your firewall configuration (specified by the
  49. ### "--log-prefix" option.  For example, if your firewall uses the
  50. ### string "Audit" for packets that have been blocked, then you could
  51. ### set FW_MSG_SEARCH to "Audit";  The default string to search for is
  52. ### "DROP".  Both psad and kmsgsd reference this file.  NOTE: You can
  53. ### specify this variable multiple times to have psad search for multiple
  54. ### strings.  For example to have psad search for the strings "Audit" and
  55. ### "Reject", you would use the following two lines:
  56. #FW_MSG_SEARCH               Audit;
  57. #FW_MSG_SEARCH               REJECT;
  58.  
  59. ### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON
  60. ### variable accepts four possible values: syslogd, syslog-ng, ulogd,
  61. ### or metalog.
  62. SYSLOG_DAEMON               syslogd;
  63.  
  64. ### What type of interface configuration do you use?  This this variable to
  65. ### "iproute2" if you want to use the iproute2 type configuration.
  66. ### iproute2 does not use aliases for multi-homed interfaces and
  67. ### ifconfig does not show secondary addresses for multi-homed interfaces.
  68. #IFCFGTYPE  iproute2;
  69. IFCFGTYPE                   ifconfig;
  70.  
  71. ### Danger levels.  These represent the total number of
  72. ### packets required for a scan to reach each danger level.
  73. ### A scan may also reach a danger level if the scan trips
  74. ### a signature or if the scanning ip is listed in
  75. ### auto_ips so a danger level is automatically
  76. ### assigned.
  77. DANGER_LEVEL1               5;    ### Number of packets.
  78. DANGER_LEVEL2               15;
  79. DANGER_LEVEL3               150;
  80. DANGER_LEVEL4               1500;
  81. DANGER_LEVEL5               10000;
  82.  
  83. ### Set the interval (in seconds) psad will use to sleep before
  84. ### checking for new iptables log messages
  85. CHECK_INTERVAL              5;
  86.  
  87. ### Search for snort "sid" values generated by fwsnort
  88. ### or snort2iptables
  89. SNORT_SID_STR               SID;
  90.  
  91. ### Set the minimum range of ports that must be scanned before
  92. ### psad will send an alert.  The default is 1 so that at
  93. ### least two port must be scanned (p2-p1 >= 1).  This can be set
  94. ### to 0 if you want psad to be extra paranoid, or 30000 if not.
  95. PORT_RANGE_SCAN_THRESHOLD   1;
  96.  
  97. ### If "Y", means that scans will never timeout.  This is useful
  98. ### for catching scans that take place over long periods of time
  99. ### where the attacker is trying to slip beneath the IDS thresholds.
  100. ENABLE_PERSISTENCE          Y;
  101.  
  102. ### This is used only if ENABLE_PERSISTENCE = "N";
  103. SCAN_TIMEOUT                3600;  ### seconds
  104.  
  105. ### If "Y", means all signatures will be shown since
  106. ### the scan started instead of just the current ones.
  107. SHOW_ALL_SIGNATURES         N;
  108.  
  109. ### Allow reporting methods to be enabled/restricted.  This keyword can
  110. ### accept values of "nosyslog" (don't write any messages to syslog),
  111. ### "noemail" (don't send any email messages), or "ALL" (to generate both
  112. ### syslog and email messages).  "ALL" is the default.  Both "nosyslog"
  113. ### and "noemail" can be combined with a comma to disable all logging
  114. ### and alerting.
  115. ALERTING_METHODS            ALL;
  116.  
  117. ### By default, psad acquires iptables log data from the /var/log/psad/fwdata
  118. ### file which is written to by kmsgsd.  However, psad can just read an
  119. ### existing file that syslog writes iptables log data to (commonly
  120. ### /var/log/messages).  On some systems, having syslog communicate log data
  121. ### to kmsgsd can be problematic (syslog configs and external factors such
  122. ### as Apparmor and SELinux can play a role here), so using this feature can
  123. ### simplify a psad deployment.
  124. ENABLE_SYSLOG_FILE          Y;
  125. IPT_WRITE_FWDATA            Y;
  126. IPT_SYSLOG_FILE             /var/log/messages;
  127.  
  128. ### When enabled, this instructs psad to write the "msg" field
  129. ### associated with Snort rule matches to syslog.
  130. ENABLE_SIG_MSG_SYSLOG       Y;
  131. SIG_MSG_SYSLOG_THRESHOLD    10;
  132. SIG_SID_SYSLOG_THRESHOLD    10;
  133.  
  134. ### TTL values are decremented depending on the number of hops
  135. ### the packet has taken before it hits the firewall.  We will
  136. ### assume packets will not jump through more than 20 hops on
  137. ### average.
  138. MAX_HOPS                    20;
  139.  
  140. ### Do not include any timestamp included within kernel logging
  141. ### messages (Ubuntu systems commonly have this)
  142. IGNORE_KERNEL_TIMESTAMP     Y;
  143.  
  144. ### FIXME: try to mitigate the affects of the iptables connection
  145. ### tracking bug by ignoring tcp packets that have the ack bit set.
  146. ### Read the "BUGS" section of the psad man page.  Note that
  147. ### if a packet matches a snort SID generated by fwsnort (see
  148. ### http://www.cipherdyne.org/fwsnort/)
  149. ### then psad will see it even if the ack bit is set.  See the
  150. ### SNORT_SID_STR variable.
  151. IGNORE_CONNTRACK_BUG_PKTS   Y;
  152.  
  153. ### define a set of ports to ignore (this is useful particularly
  154. ### for port knocking applications since the knock sequence will
  155. ### look to psad like a scan).  This variable may be defined as
  156. ### a comma-separated list of port numbers or port ranges and
  157. ### corresponding protocol,  For example, to have psad ignore all
  158. ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
  159. ### IGNORE_PORTS        tcp/61000-61356, udp/53, udp/5000;
  160. IGNORE_PORTS                NONE;
  161.  
  162. ### allow entire protocols to be ignored.  This keyword can accept
  163. ### a comma separated list of protocols.  Each protocol must match
  164. ### the protocol that is specified in a Netfilter log message (case
  165. ### insensitively, so both "TCP" or "tcp" is ok).
  166. ### IGNORE_PROTOCOL             tcp,udp;
  167. IGNORE_PROTOCOLS            NONE;
  168.  
  169. ### allow packets to be ignored based on interface (this is the
  170. ### "IN" interface in Nefilter logging messages).
  171. IGNORE_INTERFACES           NONE;
  172.  
  173. ### Ignore these specific logging prefixes
  174. IGNORE_LOG_PREFIXES         NONE;
  175.  
  176. ### Minimum danger level a scan must reach before any logging or
  177. ### alerting is done.  The EMAIL_ALERT_DANGER_LEVEL variable below
  178. ### only refers to email alerts; the MIN_DANGER_LEVEL variable
  179. ### applies to everything from email alerts to whether or not the
  180. ### IP directory is created within /me/tom/src/aur/psad/pkg/var/log/psad/.  Hence
  181. ### MIN_DANGER_LEVEL should be set less than or equal to the value
  182. ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
  183. MIN_DANGER_LEVEL            1;
  184.  
  185. ### Only send email alert if danger level >= to this value.
  186. EMAIL_ALERT_DANGER_LEVEL    1;
  187.  
  188. ### Treat all subnets on local interfaces as part of HOME_NET (this
  189. ### means that these networks do not have to be manually defined)
  190. ENABLE_INTF_LOCAL_NETS      Y;
  191.  
  192. ### Include MAC addresses in email alert
  193. ENABLE_MAC_ADDR_REPORTING   N;
  194.  
  195. ### Look for the Netfilter logging rule (fwcheck_psad is executed)
  196. ENABLE_FW_LOGGING_CHECK     Y;
  197.  
  198. ### Send no more than this number of emails for a single
  199. ### scanning source IP.  Note that enabling this feature may cause
  200. ### alerts for real attacks to not be generated if an attack is sent
  201. ### after the email threshold has been reached for an IP address.
  202. ### This is why the default is set to "0".
  203. EMAIL_LIMIT                 0;
  204.  
  205. ### By default, psad maintains a counter for each scanning source address,
  206. ### but by enabling this variable psad will maintain email counters for
  207. ### each victim address that is scanned as well.
  208. ENABLE_EMAIL_LIMIT_PER_DST  N;
  209.  
  210. ### If "Y", send a status email message when an IP has reached the
  211. ### EMAIL_LIMIT threshold.
  212. EMAIL_LIMIT_STATUS_MSG      Y;
  213.  
  214. ### If "Y", send email for all newly logged packets from the same
  215. ### source ip instead of just when a danger level increases.
  216. ALERT_ALL                   Y;
  217.  
  218. ### If "Y", then psad will import old scan source ip directories
  219. ### as current scans instead of moving the directories into the
  220. ### archive directory.
  221. IMPORT_OLD_SCANS            N;
  222.  
  223. ### syslog facility and priority (the defaults are usually ok)
  224. ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and
  225. ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,
  226. ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG
  227. SYSLOG_IDENTITY             psad;
  228. SYSLOG_FACILITY             LOG_LOCAL7;
  229. SYSLOG_PRIORITY             LOG_INFO;
  230.  
  231. ### Port thresholds for logging and -S and -A output.
  232. TOP_PORTS_LOG_THRESHOLD     500;
  233. STATUS_PORTS_THRESHOLD      20;
  234.  
  235. ### Signature thresholds for logging and -S and -A output.
  236. TOP_SIGS_LOG_THRESHOLD      500;
  237. STATUS_SIGS_THRESHOLD       50;
  238.  
  239. ### Attackers thresholds for logging and -S and -A output.
  240. TOP_IP_LOG_THRESHOLD        500;
  241. STATUS_IP_THRESHOLD         25;
  242.  
  243. ### Specify how often to log the TOP_* information (i.e. how many
  244. ### CHECK_INTERVAL iterations before the data is logged again).
  245. TOP_SCANS_CTR_THRESHOLD     1;
  246.  
  247. ### Send scan logs to dshield.org.  This is disabled by default,
  248. ### but is a good idea to enable it (subject to your site security
  249. ### policy) since the DShield service helps to track the bad guys.
  250. ### For more information visit http://www.dshield.org
  251. ENABLE_DSHIELD_ALERTS       N;
  252.  
  253. ### dshield.org alert email address; this should not be changed
  254. ### unless the guys at DShield have changed it.
  255. DSHIELD_ALERT_EMAIL         reports@dshield.org;
  256.  
  257. ### Time interval (hours) to send email alerts to dshield.org.
  258. ### The default is 6 hours, and cannot be less than 1 hour or
  259. ### more than 24 hours.
  260. DSHIELD_ALERT_INTERVAL      6;  ### hours
  261.  
  262. ### If you have a DShield user id you can set it here.  The
  263. ### default is "0".
  264. DSHIELD_USER_ID             0;
  265.  
  266. ### If you want the outbound DShield email to appear as though it
  267. ### is coming from a particular user address then set it here.
  268. DSHIELD_USER_EMAIL          NONE;
  269.  
  270. ### Threshold danger level for DShield data; a scan must reach this
  271. ### danger level before associated packets will be included in an
  272. ### alert to DShield.  Note that zero is the default since this
  273. ### will allow DShield to apply its own logic to determine what
  274. ### constitutes a scan (_all_ iptables log messages will be included
  275. ### in DShield email alerts).
  276. DSHIELD_DL_THRESHOLD        0;
  277.  
  278. ### List of servers.  Fwsnort supports the same variable resolution as
  279. #### Snort.
  280. HTTP_SERVERS                $HOME_NET;
  281. SMTP_SERVERS                $HOME_NET;
  282. DNS_SERVERS                 $HOME_NET;
  283. SQL_SERVERS                 $HOME_NET;
  284. TELNET_SERVERS              $HOME_NET;
  285.  
  286. #### AOL AIM server nets
  287. AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
  288.  
  289. ### Configurable port numbers
  290. HTTP_PORTS                  80;
  291. SHELLCODE_PORTS             !80;
  292. ORACLE_PORTS                1521;
  293.  
  294. ### If this is enabled, then psad will die if a rule in the
  295. ### /etc/psad/signatures file contains an unsupported option (otherwise
  296. ### a syslog warning will be generated).
  297. ENABLE_SNORT_SIG_STRICT     Y;
  298.  
  299. ### If "Y", enable automated IDS response (auto manages
  300. ### firewall rulesets).
  301. ENABLE_AUTO_IDS             Y;
  302.  
  303. ### Block all traffic from offending IP if danger
  304. ### level >= to this value
  305. AUTO_IDS_DANGER_LEVEL       5;
  306.  
  307. ### Set the auto-blocked timeout in seconds (the default
  308. ### is one hour).
  309. AUTO_BLOCK_TIMEOUT          3600;
  310.  
  311. ### Enable regex checking on log prefixes for active response
  312. ENABLE_AUTO_IDS_REGEX       N;
  313.  
  314. ### Only block if the Netfilter log message matches the following regex
  315. AUTO_BLOCK_REGEX            ESTAB;  ### from fwsnort logging prefixes
  316.  
  317. ### Control whether "renew" auto-block emails get sent.  This is disabled
  318. ### by default because lots of IPs could have been blocked, and psad
  319. ### should not generate a renew email for each of them.
  320. ENABLE_RENEW_BLOCK_EMAILS   N;
  321.  
  322. ### By setting this variable to N, all auto-blocking emails can be
  323. ### suppressed.
  324. ENABLE_AUTO_IDS_EMAILS      Y;
  325.  
  326. ### Enable iptables blocking (only gets enabled if
  327. ### ENABLE_AUTO_IDS is also set)
  328. IPTABLES_BLOCK_METHOD       Y;
  329.  
  330. ### Specify chain names to which iptables blocking rules will be
  331. ### added with the IPT_AUTO_CHAIN{n} keyword.  There is no limit on the
  332. ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
  333. ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
  334. ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
  335. ###              <To_chain>,<Rule_position>.
  336. ### "Target": Can be any legitimate Netfilter target, but should usually
  337. ###           just be "DROP".
  338. ### "Direction": Can be "src", "dst", or "both", which correspond to the
  339. ###              INPUT, OUTPUT, and FORWARD chains.
  340. ### "Table": Can be any Netfilter table, but the default is "filter".
  341. ### "From_chain": Is the chain from which packets will be jumped.
  342. ### "Jump_rule_position": Defines the position within the From_chain where
  343. ###                       the jump rule is added.
  344. ### "To_chain": Is the chain to which packets will be jumped. This is the
  345. ###             main chain where psad rules are added.
  346. ### "Rule_position": Defines the position where rule are added within the
  347. ###                  To_chain.
  348. ###
  349. ### The following defaults make sense for most installations, but note
  350. ### it is possible to include blocking rules in, say, the "nat" table
  351. ### using this functionality as well.  The following three lines provide
  352. ### usage examples:
  353. #IPT_AUTO_CHAIN1              DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
  354. #IPT_AUTO_CHAIN2              DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
  355. #IPT_AUTO_CHAIN3              DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
  356. IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
  357. IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
  358. IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
  359.  
  360. ### Flush all existing rules in the psad chains at psad start time.
  361. FLUSH_IPT_AT_INIT           Y;
  362.  
  363. ### Prerequisite check for existence of psad chains and jump rules
  364. IPTABLES_PREREQ_CHECK       1;
  365.  
  366. ### Enable tcp wrappers blocking (only gets enabled if
  367. ### ENABLE_AUTO_IDS is also set)
  368. TCPWRAPPERS_BLOCK_METHOD    N;
  369.  
  370. ### Set the whois timeout
  371. WHOIS_TIMEOUT               60;  ### seconds
  372.  
  373. ### Set the number of times an ip can be seen before another whois
  374. ### lookup is issued.
  375. WHOIS_LOOKUP_THRESHOLD      20;
  376.  
  377. ### Use this option to force all whois information to contain ascii-only data.
  378. ### Sometime whois information for IP addresses in China and other countries
  379. ### can contain non-ascii data.  If this option is enabled, then any non-
  380. ### ascii characters will be replaced with "NA".
  381. ENABLE_WHOIS_FORCE_ASCII    N;
  382.  
  383. ### This variable forces all whois lookups to be done against the source IP
  384. ### even when they are associated with a directly connected local network.  IT
  385. ### is usually a good idea to leave this setting as the default of 'N'.
  386. ENABLE_WHOIS_FORCE_SRC_IP   N;
  387.  
  388. ### Set the number of times an ip can be seen before another dns
  389. ### lookup is issued.
  390. DNS_LOOKUP_THRESHOLD        20;
  391.  
  392. ### Enable psad to run an external script or program (use at your
  393. ### own risk!)
  394. ENABLE_EXT_SCRIPT_EXEC      N;
  395.  
  396. ### Define an external program to run after a scan is caught.
  397. ### Note that the scan source ip can be specified on the command
  398. ### line to the external program through the use of the "SRCIP"
  399. ### string (along with some appropriate switch for the program).
  400. ### Of course this is only useful if the external program knows
  401. ### what to do with this information.
  402. ### Example:  EXTERNAL_SCRIPT       /path/to/script --ip SRCIP -v;
  403. EXTERNAL_SCRIPT             /bin/true;
  404.  
  405. ### Control execution of EXTERNAL_SCRIPT (only once per IP, or
  406. ### every time a scan is detected for an ip).
  407. EXEC_EXT_SCRIPT_PER_ALERT   N;
  408.  
  409. ### Disk usage variables
  410. DISK_CHECK_INTERVAL         300;  ### seconds
  411.  
  412. ### This can be set to 0 to disable disk checking altogether
  413. DISK_MAX_PERCENTAGE         95;
  414.  
  415. ### This can be set to 0 to have psad not place any limit on the
  416. ### number of times it will attempt to remove data from
  417. ### /var/log/psad/.
  418. DISK_MAX_RM_RETRIES         10;
  419.  
  420. ### Enable archiving of old scan directories at psad startup.
  421. ENABLE_SCAN_ARCHIVE         N;
  422.  
  423. ### Truncate fwdata file at startup
  424. TRUNCATE_FWDATA             Y;
  425.  
  426. ### Only archive scanning IP directories that have reached a danger
  427. ### level greater than or equal to this value.  Archiving old
  428. ### scanning ip directories only takes place at psad startup.
  429. MIN_ARCHIVE_DANGER_LEVEL    1;
  430.  
  431. ### Email subject line config.  Change these prefixes if you want
  432. ### psad to generate email alerts that say something other than
  433. ### the following.
  434. MAIL_ALERT_PREFIX           [psad-alert];
  435. MAIL_STATUS_PREFIX          [psad-status];
  436. MAIL_ERROR_PREFIX           [psad-error];
  437. MAIL_FATAL_PREFIX           [psad-fatal];
  438.  
  439. ### URL for getting the latest psad signatures
  440. SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;
  441.  
  442. ### These next two are psadwatchd vars
  443. PSADWATCHD_CHECK_INTERVAL   5;  ### seconds
  444. PSADWATCHD_MAX_RETRIES      10;
  445.  
  446. ### Directories
  447. PSAD_DIR                    /var/log/psad;
  448. PSAD_RUN_DIR                /var/run/psad;
  449. PSAD_FIFO_DIR               /var/lib/psad;
  450. PSAD_LIBS_DIR               /usr/lib/psad;
  451. PSAD_CONF_DIR               /etc/psad;
  452. PSAD_ERR_DIR                $PSAD_DIR/errs;
  453. CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
  454. SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
  455. ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
  456. SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
  457.  
  458. ### Files
  459. FW_DATA_FILE                $PSAD_DIR/fwdata;
  460. ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;
  461. FW_CHECK_FILE               $PSAD_DIR/fw_check;
  462. DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;
  463. SIGS_FILE                   $PSAD_CONF_DIR/signatures;
  464. ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;
  465. AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;
  466. SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;
  467. POSF_FILE                   $PSAD_CONF_DIR/posf;
  468. P0F_FILE                    $PSAD_CONF_DIR/pf.os;
  469. IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;
  470. PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;
  471. ETC_HOSTS_DENY_FILE         /etc/hosts.deny;
  472. ETC_SYSLOG_CONF             /etc/syslog.conf;
  473. ETC_RSYSLOG_CONF            /etc/rsyslog.conf;
  474. ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
  475. ETC_METALOG_CONF            /etc/metalog/metalog.conf;
  476. STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;
  477. ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;
  478. INSTALL_LOG_FILE            $PSAD_DIR/install.log;
  479.  
  480. ### PID files
  481. PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;
  482. PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;
  483. KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;
  484. PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
  485.  
  486. ### List of ips that have been auto blocked by iptables
  487. ### or tcpwrappers (the auto blocking feature is disabled by
  488. ### default, see the psad man page and the ENABLE_AUTO_IDS
  489. ### variable).
  490. AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
  491. AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
  492.  
  493. ### File used internally by psad to add Netfilter blocking
  494. ### rules to a running psad process
  495. AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
  496.  
  497. FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;
  498. PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;
  499.  
  500. ### /proc interface for controlling ip forwarding
  501. PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
  502.  
  503. ### Packet counters for tcp, udp, and icmp protocols
  504. PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;
  505.  
  506. ### Top scanned ports
  507. TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;
  508.  
  509. ### Top signature matches
  510. TOP_SIGS_FILE               $PSAD_DIR/top_sigs;
  511.  
  512. ### Top attackers
  513. TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;
  514.  
  515. ### Counter file for Dshield alerts
  516. DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;
  517.  
  518. ### Counter file for iptables prefixes
  519. IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;
  520.  
  521. ### iptables command output and error collection files; these are
  522. ### used by IPTables::ChainMgr
  523. IPT_OUTPUT_FILE             $PSAD_DIR/psad.iptout;
  524. IPT_ERROR_FILE              $PSAD_DIR/psad.ipterr;
  525.  
  526. ### system binaries
  527. iptablesCmd      /sbin/iptables;
  528. shCmd            /bin/sh;
  529. wgetCmd          /usr/bin/wget;
  530. gzipCmd          /bin/gzip;
  531. mknodCmd         /bin/mknod;
  532. psCmd            /bin/ps;
  533. mailCmd          /usr/bin/mail;
  534. sendmailCmd      /usr/sbin/sendmail;
  535. ifconfigCmd      /sbin/ifconfig;
  536. ipCmd            /sbin/ip;
  537. killallCmd       /usr/bin/killall;
  538. netstatCmd       /bin/netstat;
  539. unameCmd         /bin/uname;
  540. whoisCmd         /usr/bin/whois_psad;
  541. dfCmd            /bin/df;
  542. fwcheck_psadCmd  /usr/sbin/fwcheck_psad;
  543. psadwatchdCmd    /usr/sbin/psadwatchd;
  544. kmsgsdCmd        /usr/sbin/kmsgsd;
  545. psadCmd          /usr/sbin/psad;
  546.  
  547.