psad (Port Scan Attack Detector)
-Version: 1.4.1
+Version: 3.0
Author: Michael Rash (mbr@cipherdyne.org)
-Website: http://www.cipherdyne.org
+Website: http://www.cipherdyne.org/
Thanks to: (see the CREDITS file).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
DESCRIPTION:
- The Port Scan Attack Detector (psad) is a collection of three lightweight
+ The Port Scan Attack Detector (psad) is a collection of two lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic. It
features a set of highly configurable danger thresholds (with sensible
CONFIGURATION INFORMATION:
Information on config keywords referenced by psad may be found both in the
-psad man(8) page, and also here:
+psad(8) man page, and also here:
http://www.cipherdyne.org/psad/docs/config.html
METHODOLOGY:
All information psad analyzes is gathered from iptables log messages.
-psad creates a named pipe (/var/lib/psad/psadfifo) and reconfigures syslog to
-write kern.info messages to the pipe. As log messages are generated by
-iptables, a separate daemon (called kmsgsd) reads any messages that match a
-particular regular expression designed to catch dropped/rejected packets out
-of the pipe and write them to a separate file (/var/log/psad/fwdata). psad is
-then responsible for reading messages as they are generated from this file and
-applying the danger threshold and signature logic in order to determine
-whether or not a port scan has taken place, send appropriate alert emails,
-and (optionally) block offending ip addresses. psad includes a signal
-handler such that if a USR1 signal is received, psad will dump the contents
-of the current scan hash data structure to /var/log/psad/scan_hash.$$ where
-"$$" represents the pid of the running psad daemon.
+psad by default reads the /var/log/messages file for new iptables messages and
+optionally writes them out to a dedicated file (/var/log/psad/fwdata).
+psad is then responsible for applying the danger threshold and signature logic
+in order to determine whether or not a port scan has taken place, send
+appropriate alert emails, and (optionally) block offending ip addresses. psad
+includes a signal handler such that if a USR1 signal is received, psad will
+dump the contents of the current scan hash data structure to
+/var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad
+daemon.
NOTE: Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
See the FW_EXAMPLE_RULES file for example firewall rulesets that are
compatible with psad.
+Additionally, extensive coverage of psad is included in the book "Linux
+Firewalls: Attack Detection and Response" published by No Starch Press, and a
+supporting script in this book is compatible with psad. This script can be
+found here:
+
+http://www.cipherdyne.org/LinuxFirewalls/ch01/
+
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
COPYRIGHT:
-Copyright (C)1999-2006 Michael Rash (mbr@cipherdyne.org)
+Copyright (C) 1999-2012 Michael Rash (mbr@cipherdyne.org)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
projects / psad.git / commitdiff