### useful for TOP_SCANS_CTR_THRESHOLD
my $check_interval_ctr = 0;
+### track the number of scan IP pairs for MAX_SCAN_IP_PAIRS thresholding
+my $scan_ip_pairs = 0;
+
### %auto_dl holds all ip addresses that should automatically
### be assigned a danger level (or ignored).
my %auto_dl = ();
my %auto_block_regex_match = ();
my $pkt_ctr = 0;
+ my $log_scan_ip_pair_max = 0;
my $print_scale_factor = &get_scale_factor($#$fw_packets_ar);
$top_udplite_ports{$pkt{'dp'}}++;
}
- ### track packet counts for this source
- $top_packet_counts{$pkt{'src'}}++;
-
### If we made it here then we correctly matched packets
### that the firewall logged.
print STDERR "[+] valid packet: $pkt{'src'} ($pkt{'sp'}) -> ",
"$pkt{'dst'} ($pkt{'dp'}) $pkt{'proto'}\n" if $debug;
+ ### see if we have hit the MAX_SCAN_IP_PAIRS threshold
+ if ($config{'MAX_SCAN_IP_PAIRS'} > 0) {
+ if ($scan_ip_pairs >= $config{'MAX_SCAN_IP_PAIRS'}) {
+ unless (defined $scan{$pkt{'src'}}
+ and defined $scan{$pkt{'src'}}{$pkt{'dst'}}) {
+ print STDERR "[-] excluding $pkt{'src'} -> $pkt{'dst'}, ",
+ "scan IP pairs too high: $scan_ip_pairs\n"
+ if $debug;
+ $log_scan_ip_pair_max = 1;
+ next PKT;
+ }
+ }
+ if (not defined $scan{$pkt{'src'}}) {
+ $scan_ip_pairs++;
+ } elsif (not defined $scan{$pkt{'src'}}{$pkt{'dst'}}) {
+ $scan_ip_pairs++;
+ }
+ }
+
+ ### track packet counts for this source
+ $top_packet_counts{$pkt{'src'}}++;
+
if ($config{'HOME_NET'} ne 'any') {
if ($pkt{'chain'} eq 'INPUT') {
$local_src{$pkt{'dst'}} = '';
}
}
}
+
### note that we send this packet data off to DShield regardless
### of whether psad decides that it is associated with a scan so
### that DShield can make its own determination
&auto_psad_response(\%curr_scan, \%auto_block_regex_match)
if $config{'ENABLE_AUTO_IDS'} eq 'Y' and not $analyze_mode;
+ if ($log_scan_ip_pair_max) {
+ &sys_log("scan IP pairs threshold reached");
+ }
+
return;
}
>= $config{'SCAN_TIMEOUT'}) {
print STDERR " delete old scan $src -> $dst\n"
if $debug;
+
delete $scan{$src}{$dst};
+
+ if ($config{'MAX_SCAN_IP_PAIRS'} > 0) {
+ $scan_ip_pairs-- if $scan_ip_pairs > 0;
+ }
}
}
}
&check_scan(\@ipt_msgs);
print "\n[+] Finished --Analyze cycle.\n";
+
return 0;
}
ENABLE_SYSLOG_FILE IPT_SYSLOG_FILE IPT_WRITE_FWDATA
ETC_RSYSLOG_CONF IFCFGTYPE ENABLE_WHOIS_FORCE_ASCII
ENABLE_WHOIS_FORCE_SRC_IP ENABLE_IPV6_DETECTION
- PERSISTENCE_CTR_THRESHOLD
+ PERSISTENCE_CTR_THRESHOLD MAX_SCAN_IP_PAIRS
);
&defined_vars(\@required_vars);
return;
SCAN_TIMEOUT 3600; ### seconds
### Specify how often to timeout old scan data relative to CHECK_INTERVAL
-### iterations. This feature is only use if ENABLE_PERSISTENCE is disabled.
+### iterations. This feature is only used if ENABLE_PERSISTENCE is disabled.
### Note that for psad processes that have tracked a lot of scans, it is
### advisable to leave this threshold at the default value of 5 or greater
### because the scan tracking hash may be quite large.
PERSISTENCE_CTR_THRESHOLD 5;
+### Limit the number of src->dst IP pairs that psad will track. The default
+### is zero (i.e. unlimited), but if psad is running on a system with limited
+### memory, this can be handy to restrict psad's memory usage. It is best to
+### combine this option with disabling ENABLE_PERSISTENCE so that older scans
+### are deleted and therefore newer scans will on average continue to be
+### tracked. A good non-zero value is, say, 50000, but this will vary
+### depending on available system memory.
+MAX_SCAN_IP_PAIRS 0;
+
### If "Y", means all signatures will be shown since
### the scan started instead of just the current ones.
SHOW_ALL_SIGNATURES N;
projects / psad.git / commitdiff