PSAD (psad.conf)
Configuração para o PSAD
Categoria: Segurança
Software: PSAD
[ Hits: 9.410 ]
Por: Anderson L Tamborim
Para os que leram o meu artigo sobre PSAD, aqui está o conf do mesmo
devidamente configurado para melhorar a função do software.
Enjoy!
### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME RootSec; HOME_NET ppp0; SYSLOG_DAEMON syslogd; DANGER_LEVEL1 5; ### Number of packets. DANGER_LEVEL2 50; DANGER_LEVEL3 1000; DANGER_LEVEL4 5000; DANGER_LEVEL5 10000; PSAD_CHECK_INTERVAL 5; SNORT_SID_STR SID; PORT_RANGE_SCAN_THRESHOLD 1; ENABLE_PERSISTENCE Y; SCAN_TIMEOUT 3600; ### seconds SHOW_ALL_SIGNATURES N; IGNORE_CONNTRACK_BUG_PKTS Y; IGNORE_PORTS NONE; EMAIL_ALERT_DANGER_LEVEL 1; PSAD_EMAIL_LIMIT 10; ALERT_ALL Y; IMPORT_OLD_SCANS N; ENABLE_DSHIELD_ALERTS N; ENABLE_AUTO_IDS Y; ### Block all traffic from offending IP if danger ### level >= to this value AUTO_IDS_DANGER_LEVEL 3; ### Set the auto-blocked timeout in seconds (the default ### is one hour). AUTO_BLOCK_TIMEOUT 50; ### Enable iptables blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) IPTABLES_BLOCK_METHOD Y; ### Specify the position or rule number within the iptables ### policy where auto block rules get added. IPTABLES_AUTO_RULENUM 1; ### Enable tcp wrappers blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) TCPWRAPPERS_BLOCK_METHOD N; ### Set the whois timeout WHOIS_TIMEOUT 60; ### seconds ### Set the number of times an ip can be seen before another dns ### lookup is issued. DNS_LOOKUP_THRESHOLD 20; ### Set the number of times an ip can be seen before another whois ### lookup is issued. WHOIS_LOOKUP_THRESHOLD 20; ### Enable psad to run an external script or program (use at your ### own risk!) ENABLE_EXT_SCRIPT_EXEC Y;### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v; EXTERNAL_SCRIPT /usr/sbin/iptables -A INPUT -p tcp -s SRCIP -j DROP; ### Control execution of EXTERNAL_SCRIPT (only once per IP, or ### every time a scan is detected for an ip). EXEC_EXT_SCRIPT_PER_ALERT Y; ### Disk usage variables DISK_CHECK_INTERVAL 300; ### seconds ### This can be set to 0 to disable disk checking altogether DISK_MAX_PERCENTAGE 95; ### This can be set to 0 to have psad not place any limit on the ### number of times it will attempt to remove data from ### /var/log/psad/. DISK_MAX_RM_RETRIES 10; ### Only archive scanning ip directories that have reached a danger ### level greater than or equal to this value. Archiving old ### scanning ip directories only takes place at psad startup. MIN_ARCHIVE_DANGER_LEVEL 1; ### Directories PSAD_DIR /var/log/psad; SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive; PSAD_ERROR_DIR /var/log/psad/errs; ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis; SNORT_RULES_DIR /etc/snort/rules; ### Files FW_DATA_FILE /var/log/psad/fwdata; FW_CHECK_FILE /var/log/psad/fw_check; PSAD_PID_FILE /var/run/psad/psad.pid; PSAD_CMDLINE_FILE /var/run/psad/psad.cmd; PSAD_SIGS_FILE /etc/psad/signatures; PSAD_ICMP_TYPES_FILE /etc/psad/icmp_types; PSAD_AUTO_DL_FILE /etc/psad/auto_dl; PSAD_POSF_FILE /etc/psad/posf; PSAD_FIFO /var/lib/psad/psadfifo; ETC_HOSTS_DENY /etc/hosts.deny; ETC_SYSLOG_CONF /etc/syslog.conf; ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; ETC_METALOG_CONF /etc/metalog/metalog.conf; ### PID files KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid; PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid; ### List of ips that have been auto blocked by iptables ### or tcpwrappers (the auto blocking feature is disabled by ### default, see the psad man page and the ENABLE_AUTO_IDS ### variable). AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables; AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr; FW_ERROR_LOG /var/log/psad/errs/fwerrorlog; PRINT_SCAN_HASH /var/log/psad/scan_hash; ### /proc interface for controlling ip forwarding PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; ### Packet counters for tcp, udp, and icmp protocols PACKET_COUNTER_FILE /var/log/psad/packet_ctr;### Counter file for Dshield alerts DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr; ### Counter file for iptables prefixes IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr; ### system binaries shCmd /bin/sh; iptablesCmd /usr/sbin/iptables; mknodCmd /bin/mknod; psCmd /bin/ps; mailCmd /bin/mail; sendmailCmd /usr/sbin/sendmail; ifconfigCmd /sbin/ifconfig; syslogdCmd /sbin/syslogd; syslog-ngCmd /sbin/syslog-ng; ### only used if SYSLOG_DAEMON = syslog-ng killallCmd /usr/bin/killall; netstatCmd /bin/netstat; unameCmd /bin/uname; whoisCmd /usr/bin/whois_psad; dfCmd /bin/df; fwcheck_psadCmd /usr/sbin/fwcheck_psad; psadwatchdCmd /usr/sbin/psadwatchd; kmsgsdCmd /usr/sbin/kmsgsd; psadCmd /usr/sbin/psad;
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Dificuldade para renderizar vídeo no kdenlive (6)
xubuntu sem sons de eventos (3)
Erro ao iniciar serviço samba4 como novo dc em um ambiente com ad (9)