<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="fr">
	<id>https://wikiold.home.tartarefr.eu/index.php?action=history&amp;feed=atom&amp;title=IDS%2FPsad</id>
	<title>IDS/Psad - Historique des versions</title>
	<link rel="self" type="application/atom+xml" href="https://wikiold.home.tartarefr.eu/index.php?action=history&amp;feed=atom&amp;title=IDS%2FPsad"/>
	<link rel="alternate" type="text/html" href="https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;action=history"/>
	<updated>2026-07-06T18:38:48Z</updated>
	<subtitle>Historique des versions pour cette page sur le wiki</subtitle>
	<generator>MediaWiki 1.43.8</generator>
	<entry>
		<id>https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2629&amp;oldid=prev</id>
		<title>Didier le 21 mars 2014 à 13:00</title>
		<link rel="alternate" type="text/html" href="https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2629&amp;oldid=prev"/>
		<updated>2014-03-21T13:00:29Z</updated>

		<summary type="html">&lt;p&gt;&lt;/p&gt;
&lt;table style=&quot;background-color: #fff; color: #202122;&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;tr class=&quot;diff-title&quot; lang=&quot;fr&quot;&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;← Version précédente&lt;/td&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;Version du 21 mars 2014 à 13:00&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l74&quot;&gt;Ligne 74 :&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Ligne 74 :&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#FW_MSG_SEARCH               Audit;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#FW_MSG_SEARCH               Audit;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#FW_MSG_SEARCH               REJECT;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#FW_MSG_SEARCH               REJECT;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;FW_MSG_SEARCH               DROP;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;#&lt;/ins&gt;FW_MSG_SEARCH               DROP&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;;&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;FW_MSG_SEARCH                iptables: &lt;/ins&gt;;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</summary>
		<author><name>Didier</name></author>
	</entry>
	<entry>
		<id>https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2628&amp;oldid=prev</id>
		<title>Didier : /* Configuration */</title>
		<link rel="alternate" type="text/html" href="https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2628&amp;oldid=prev"/>
		<updated>2014-03-21T12:54:57Z</updated>

		<summary type="html">&lt;p&gt;&lt;span class=&quot;autocomment&quot;&gt;Configuration&lt;/span&gt;&lt;/p&gt;
&lt;table style=&quot;background-color: #fff; color: #202122;&quot; data-mw=&quot;interface&quot;&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;col class=&quot;diff-marker&quot; /&gt;
				&lt;col class=&quot;diff-content&quot; /&gt;
				&lt;tr class=&quot;diff-title&quot; lang=&quot;fr&quot;&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;← Version précédente&lt;/td&gt;
				&lt;td colspan=&quot;2&quot; style=&quot;background-color: #fff; color: #202122; text-align: center;&quot;&gt;Version du 21 mars 2014 à 12:54&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l12&quot;&gt;Ligne 12 :&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Ligne 12 :&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== Configuration ==&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;== Configuration ==&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Comme expliqué en introduction, les paquets doivent être loggués par [[Security/IpTables|iptables]]. On ajoute &lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;ces règles aux début &lt;/del&gt;afin de loggué tous les paquets.&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Comme expliqué en introduction, les paquets doivent être loggués par [[Security/IpTables|iptables]]. On ajoute &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;cette règle à la fin &lt;/ins&gt;afin de loggué tous les paquets &lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;rejeté par le firewall&lt;/ins&gt;.&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;iptables -A INPUT -j LOG --log-prefix &amp;quot;iptables: &amp;quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;iptables -A INPUT -j LOG --log-prefix &amp;quot;iptables: &amp;quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;iptables -A OUTPUT -j LOG --log-prefix &quot;iptables: &quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;iptables -A FORWARD -j LOG --log-prefix &quot;iptables: &quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/syntaxhighlight&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/syntaxhighlight&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Fichier &amp;lt;path&amp;gt;/etc/psad/psad.conf&amp;lt;/path&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;Fichier &amp;lt;path&amp;gt;/etc/psad/psad.conf&amp;lt;/path&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;pre&lt;/del&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;syntaxhighlight lang=&quot;bash&quot;&lt;/ins&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;#&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;##############################################################################&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;##############################################################################&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot; id=&quot;mw-diff-left-l620&quot;&gt;Ligne 620 :&lt;/td&gt;
&lt;td colspan=&quot;2&quot; class=&quot;diff-lineno&quot;&gt;Ligne 618 :&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;psadCmd          $INSTALL_ROOT/usr/sbin/psad;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;psadCmd          $INSTALL_ROOT/usr/sbin/psad;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;pre&lt;/del&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&amp;lt;/&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;syntaxhighlight&lt;/ins&gt;&amp;gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;−&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;del style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Pour mettre à jour les règles, entrez la commande suivante dans un terminal :&lt;/del&gt;&lt;/div&gt;&lt;/td&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-added&quot;&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td colspan=&quot;2&quot; class=&quot;diff-side-deleted&quot;&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot; data-marker=&quot;+&quot;&gt;&lt;/td&gt;&lt;td style=&quot;color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;&lt;ins style=&quot;font-weight: bold; text-decoration: none;&quot;&gt;Pour mettre à jour le fichier de signatures, entrez la commande suivante dans un terminal :&lt;/ins&gt;&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;  psad --sig-update&lt;/div&gt;&lt;/td&gt;&lt;td class=&quot;diff-marker&quot;&gt;&lt;/td&gt;&lt;td style=&quot;background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;&quot;&gt;&lt;div&gt;  psad --sig-update&lt;/div&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;</summary>
		<author><name>Didier</name></author>
	</entry>
	<entry>
		<id>https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2627&amp;oldid=prev</id>
		<title>Didier : Page créée avec « == Introduction ==  psad est une collection de trois démons système léger écrits en Perl et C, fonctionnant sous linux et qui analise les messages (log) du pare-feu Li... »</title>
		<link rel="alternate" type="text/html" href="https://wikiold.home.tartarefr.eu/index.php?title=IDS/Psad&amp;diff=2627&amp;oldid=prev"/>
		<updated>2014-03-21T08:44:56Z</updated>

		<summary type="html">&lt;p&gt;Page créée avec « == Introduction ==  psad est une collection de trois démons système léger écrits en Perl et C, fonctionnant sous linux et qui analise les messages (log) du pare-feu Li... »&lt;/p&gt;
&lt;p&gt;&lt;b&gt;Nouvelle page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
psad est une collection de trois démons système léger écrits en Perl et C, fonctionnant sous linux et qui analise les messages (log) du pare-feu Linux [[Security/IpTables|iptables]] pour détecter les scans de ports et autre trafic frauduleux. Une installation typique est de faire tourner les daemons sur le firewall, afin d&amp;#039;avoir un accès rapide au message de log.&lt;br /&gt;
&lt;br /&gt;
psad est développé autour de trois grand principes:&lt;br /&gt;
* Une bonne sécurité réseau commence avec un firewall correctement configuré.&lt;br /&gt;
* Une grande partie des données de la détection d&amp;#039;intrusion peut être collecté depuis les logs de firewall, surtout si les logs contiennent des informations sur presque chaque champs réseau et des en-têtes de transport (et surtout des correspondance de signature avec la couche applicative avec Netfilter).&lt;br /&gt;
* Le trafic frauduleux ne doit pas détecté aux dépens de tentative de blocage d&amp;#039;un tel trafic. &lt;br /&gt;
&lt;br /&gt;
psad contient beaucoup de signatures provenant du détecteur d&amp;#039;intrusion [[IDS/Snort|Snort]] pour détecter plusieurs backdoors (EvilFTP, GirlFriend, SubSeven), les outils d&amp;#039;attaque DDos (mstream, shaft) et de scan de port avancé (FIN, NULL, XMAS) qui peuvent être lancé facilement avec [[IDS/Nmap|nmap]]. Combiné à [[IDS/Fwsnort|fwsnort]] et à l&amp;#039;extension netfilter string match, psad est capable de détecter beaucoup d&amp;#039;attaques décrites dans les règles [[IDS/Snort|Snort]] qui affecte la couche applicative. De plus, psad utilise les en-tête de paquet associé au paquet TCP SYN pour obtenir l&amp;#039;empreinte du sytème distant (de manière similaire à p0f) qui est à l&amp;#039;origine des scans.&lt;br /&gt;
&lt;br /&gt;
== Configuration ==&lt;br /&gt;
&lt;br /&gt;
Comme expliqué en introduction, les paquets doivent être loggués par [[Security/IpTables|iptables]]. On ajoute ces règles aux début afin de loggué tous les paquets.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
iptables -A INPUT -j LOG --log-prefix &amp;quot;iptables: &amp;quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;br /&gt;
iptables -A OUTPUT -j LOG --log-prefix &amp;quot;iptables: &amp;quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;br /&gt;
iptables -A FORWARD -j LOG --log-prefix &amp;quot;iptables: &amp;quot; --log-tcp-sequence --log-tcp-options --log-ip-options&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Fichier &amp;lt;path&amp;gt;/etc/psad/psad.conf&amp;lt;/path&amp;gt;&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
#&lt;br /&gt;
##############################################################################&lt;br /&gt;
#&lt;br /&gt;
#  This is the configuration file for psad (the Port Scan Attack Detector).&lt;br /&gt;
#  Normally this file gets installed at /etc/psad/psad.conf, but can be put&lt;br /&gt;
#  anywhere in the filesystem and then the path can be specified on the&lt;br /&gt;
#  command line argument &amp;quot;-c &amp;lt;file&amp;gt;&amp;quot; to psad.  All three psad daemons (psad,&lt;br /&gt;
#  kmsgsd, and psadwatchd) reference this config file.&lt;br /&gt;
#&lt;br /&gt;
#  Each line has the form  &amp;quot;&amp;lt;variable name&amp;gt;    &amp;lt;value&amp;gt;;&amp;quot;.  Note the semi-&lt;br /&gt;
#  colon after the &amp;lt;value&amp;gt;.  All characters after the semicolon will be&lt;br /&gt;
#  ignored to provide space for comments.&lt;br /&gt;
#&lt;br /&gt;
##############################################################################&lt;br /&gt;
#&lt;br /&gt;
&lt;br /&gt;
### Supports multiple email addresses (as a comma separated&lt;br /&gt;
### list).&lt;br /&gt;
EMAIL_ADDRESSES             root@localhost;&lt;br /&gt;
&lt;br /&gt;
### Machine hostname&lt;br /&gt;
HOSTNAME                    localhost;&lt;br /&gt;
&lt;br /&gt;
### Specify the home and external networks.  Note that by default the&lt;br /&gt;
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects&lt;br /&gt;
### all of the directly connected subnets and uses this information as&lt;br /&gt;
### the HOME_NET variable.&lt;br /&gt;
HOME_NET                    any;&lt;br /&gt;
EXTERNAL_NET                any;&lt;br /&gt;
&lt;br /&gt;
### The FW_SEARCH_ALL variable controls how psad will parse iptables&lt;br /&gt;
### messages.  If it is set to &amp;quot;Y&amp;quot; then psad will parse all iptables&lt;br /&gt;
### messages for evidence of scan activity.  If it is set to &amp;quot;N&amp;quot; then&lt;br /&gt;
### psad will only parse those iptables messages that contain logging&lt;br /&gt;
### prefixes specified by the FW_MSG_SEARCH variable below.  Logging&lt;br /&gt;
### prefixes are set with the --log-prefix command line option to iptables.&lt;br /&gt;
### Setting FW_SEARCH_ALL to &amp;quot;N&amp;quot; is useful for having psad only analyze&lt;br /&gt;
### iptables messages that are logged out of a specific iptables chain&lt;br /&gt;
### (multiple strings can be searched for, see the comment above the&lt;br /&gt;
### FW_MSG_SEARCH variable below) or a specific logging rule for example.&lt;br /&gt;
### FW_SEARCH_ALL is set to &amp;quot;Y&amp;quot; by default since usually people want psad&lt;br /&gt;
### to parse all iptables messages.&lt;br /&gt;
FW_SEARCH_ALL               Y;&lt;br /&gt;
&lt;br /&gt;
### The FW_MSG_SEARCH variable can be modified to look for logging messages&lt;br /&gt;
### that are specific to your firewall configuration (specified by the&lt;br /&gt;
### &amp;quot;--log-prefix&amp;quot; option.  For example, if your firewall uses the&lt;br /&gt;
### string &amp;quot;Audit&amp;quot; for packets that have been blocked, then you could&lt;br /&gt;
### set FW_MSG_SEARCH to &amp;quot;Audit&amp;quot;;  The default string to search for is&lt;br /&gt;
### &amp;quot;DROP&amp;quot;.  Both psad and kmsgsd reference this file.  NOTE: You can&lt;br /&gt;
### specify this variable multiple times to have psad search for multiple&lt;br /&gt;
### strings.  For example to have psad search for the strings &amp;quot;Audit&amp;quot; and&lt;br /&gt;
### &amp;quot;Reject&amp;quot;, you would use the following two lines:&lt;br /&gt;
#FW_MSG_SEARCH               Audit;&lt;br /&gt;
#FW_MSG_SEARCH               REJECT;&lt;br /&gt;
FW_MSG_SEARCH               DROP;&lt;br /&gt;
&lt;br /&gt;
### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON&lt;br /&gt;
### variable accepts four possible values: syslogd, syslog-ng, ulogd,&lt;br /&gt;
### or metalog.  Note: this variable is only used if ENABLE_SYSLOG_FILE is&lt;br /&gt;
### disabled, and this in turn will mean that the legacy kmsgsd daemon will&lt;br /&gt;
### collect firewall logs from syslog via the old named pipe mechanism.&lt;br /&gt;
SYSLOG_DAEMON               syslogd;&lt;br /&gt;
&lt;br /&gt;
### What type of interface configuration do you use?  Set this variable to&lt;br /&gt;
### &amp;quot;iproute2&amp;quot; if you want to use the iproute2 type configuration.&lt;br /&gt;
### iproute2 does not use aliases for multi-homed interfaces and&lt;br /&gt;
### ifconfig does not show secondary addresses for multi-homed interfaces.&lt;br /&gt;
#IFCFGTYPE  iproute2;&lt;br /&gt;
IFCFGTYPE                   ifconfig;&lt;br /&gt;
&lt;br /&gt;
### Danger levels.  These represent the total number of&lt;br /&gt;
### packets required for a scan to reach each danger level.&lt;br /&gt;
### A scan may also reach a danger level if the scan trips&lt;br /&gt;
### a signature or if the scanning ip is listed in&lt;br /&gt;
### auto_ips so a danger level is automatically&lt;br /&gt;
### assigned.&lt;br /&gt;
DANGER_LEVEL1               5;    ### Number of packets.&lt;br /&gt;
DANGER_LEVEL2               15;&lt;br /&gt;
DANGER_LEVEL3               150;&lt;br /&gt;
DANGER_LEVEL4               1500;&lt;br /&gt;
DANGER_LEVEL5               10000;&lt;br /&gt;
&lt;br /&gt;
### Set the interval (in seconds) psad will use to sleep before&lt;br /&gt;
### checking for new iptables log messages&lt;br /&gt;
CHECK_INTERVAL              5;&lt;br /&gt;
&lt;br /&gt;
### Search for snort &amp;quot;sid&amp;quot; values generated by fwsnort&lt;br /&gt;
### or snort2iptables&lt;br /&gt;
SNORT_SID_STR               SID;&lt;br /&gt;
&lt;br /&gt;
### Set the minimum range of ports that must be scanned before&lt;br /&gt;
### psad will send an alert.  The default is 1 so that at&lt;br /&gt;
### least two port must be scanned (p2-p1 &amp;gt;= 1).  This can be set&lt;br /&gt;
### to 0 if you want psad to be extra paranoid, or 30000 if not.&lt;br /&gt;
PORT_RANGE_SCAN_THRESHOLD   1;&lt;br /&gt;
&lt;br /&gt;
### For IP protocol scan detection (nmap -sO).  While it may be relatively&lt;br /&gt;
### common for a host to trigger on tcp, udp, and icmp, it is more unusual if&lt;br /&gt;
### a host triggers on, say, five different IP protocols&lt;br /&gt;
PROTOCOL_SCAN_THRESHOLD     5;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, means that scans will never timeout.  This is useful&lt;br /&gt;
### for catching scans that take place over long periods of time&lt;br /&gt;
### where the attacker is trying to slip beneath the IDS thresholds.&lt;br /&gt;
ENABLE_PERSISTENCE          Y;&lt;br /&gt;
&lt;br /&gt;
### This is used only if ENABLE_PERSISTENCE = &amp;quot;N&amp;quot;;&lt;br /&gt;
SCAN_TIMEOUT                3600;  ### seconds&lt;br /&gt;
&lt;br /&gt;
### Specify how often to timeout old scan data relative to CHECK_INTERVAL&lt;br /&gt;
### iterations.  This feature is only used if ENABLE_PERSISTENCE is disabled.&lt;br /&gt;
### Note that for psad processes that have tracked a lot of scans, it is&lt;br /&gt;
### advisable to leave this threshold at the default value of 5 or greater&lt;br /&gt;
### because the scan tracking hash may be quite large.&lt;br /&gt;
PERSISTENCE_CTR_THRESHOLD   5;&lt;br /&gt;
&lt;br /&gt;
### Limit the number of src-&amp;gt;dst IP pairs that psad will track.  The default&lt;br /&gt;
### is zero (i.e. unlimited), but if psad is running on a system with limited&lt;br /&gt;
### memory, this can be handy to restrict psad&amp;#039;s memory usage.  It is best to&lt;br /&gt;
### combine this option with disabling ENABLE_PERSISTENCE so that older scans&lt;br /&gt;
### are deleted and therefore newer scans will on average continue to be&lt;br /&gt;
### tracked.  A good non-zero value is, say, 50000, but this will vary&lt;br /&gt;
### depending on available system memory.&lt;br /&gt;
MAX_SCAN_IP_PAIRS           0;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, means all signatures will be shown since&lt;br /&gt;
### the scan started instead of just the current ones.&lt;br /&gt;
SHOW_ALL_SIGNATURES         N;&lt;br /&gt;
&lt;br /&gt;
### Allow reporting methods to be enabled/restricted.  This keyword can&lt;br /&gt;
### accept values of &amp;quot;nosyslog&amp;quot; (don&amp;#039;t write any messages to syslog),&lt;br /&gt;
### &amp;quot;noemail&amp;quot; (don&amp;#039;t send any email messages), or &amp;quot;ALL&amp;quot; (to generate both&lt;br /&gt;
### syslog and email messages).  &amp;quot;ALL&amp;quot; is the default.  Both &amp;quot;nosyslog&amp;quot;&lt;br /&gt;
### and &amp;quot;noemail&amp;quot; can be combined with a comma to disable all logging&lt;br /&gt;
### and alerting.&lt;br /&gt;
ALERTING_METHODS            ALL;&lt;br /&gt;
&lt;br /&gt;
### By default, psad acquires iptables log data from the /var/log/messages&lt;br /&gt;
### file which the local syslog daemon (usually) writes iptables log messages&lt;br /&gt;
### to.  If the ENABLE_SYSLOG_FILE variable below is set to &amp;quot;N&amp;quot;, then psad&lt;br /&gt;
### reconfigures syslog to write iptables log data to the&lt;br /&gt;
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd&lt;br /&gt;
### written to the file /var/log/psad/fwdata for analysis by psad.  On some&lt;br /&gt;
### systems, having syslog communicate log data to kmsgsd can be problematic&lt;br /&gt;
### (syslog configs and external factors such as Apparmor and SELinux can play&lt;br /&gt;
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to &amp;quot;Y&amp;quot; is&lt;br /&gt;
### usually recommended.&lt;br /&gt;
ENABLE_SYSLOG_FILE          Y;&lt;br /&gt;
IPT_WRITE_FWDATA            Y;&lt;br /&gt;
IPT_SYSLOG_FILE             /var/log/iptables.log;&lt;br /&gt;
&lt;br /&gt;
### When enabled, this instructs psad to write the &amp;quot;msg&amp;quot; field&lt;br /&gt;
### associated with Snort rule matches to syslog.&lt;br /&gt;
ENABLE_SIG_MSG_SYSLOG       Y;&lt;br /&gt;
SIG_MSG_SYSLOG_THRESHOLD    10;&lt;br /&gt;
SIG_SID_SYSLOG_THRESHOLD    10;&lt;br /&gt;
&lt;br /&gt;
### TTL values are decremented depending on the number of hops&lt;br /&gt;
### the packet has taken before it hits the firewall.  We will&lt;br /&gt;
### assume packets will not jump through more than 20 hops on&lt;br /&gt;
### average.&lt;br /&gt;
MAX_HOPS                    20;&lt;br /&gt;
&lt;br /&gt;
### Do not include any timestamp included within kernel logging&lt;br /&gt;
### messages (Ubuntu systems commonly have this)&lt;br /&gt;
IGNORE_KERNEL_TIMESTAMP     Y;&lt;br /&gt;
&lt;br /&gt;
### FIXME: try to mitigate the affects of the iptables connection&lt;br /&gt;
### tracking bug by ignoring tcp packets that have the ack bit set.&lt;br /&gt;
### Read the &amp;quot;BUGS&amp;quot; section of the psad man page.  Note that&lt;br /&gt;
### if a packet matches a snort SID generated by fwsnort (see&lt;br /&gt;
### http://www.cipherdyne.org/fwsnort/)&lt;br /&gt;
### then psad will see it even if the ack bit is set.  See the&lt;br /&gt;
### SNORT_SID_STR variable.&lt;br /&gt;
IGNORE_CONNTRACK_BUG_PKTS   Y;&lt;br /&gt;
&lt;br /&gt;
### define a set of ports to ignore (this is useful particularly&lt;br /&gt;
### for port knocking applications since the knock sequence will&lt;br /&gt;
### look to psad like a scan).  This variable may be defined as&lt;br /&gt;
### a comma-separated list of port numbers or port ranges and&lt;br /&gt;
### corresponding protocol,  For example, to have psad ignore all&lt;br /&gt;
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:&lt;br /&gt;
### IGNORE_PORTS        tcp/61000-61356, udp/53, udp/5000;&lt;br /&gt;
IGNORE_PORTS                NONE;&lt;br /&gt;
&lt;br /&gt;
### allow entire protocols to be ignored.  This keyword can accept&lt;br /&gt;
### a comma separated list of protocols.  Each protocol must match&lt;br /&gt;
### the protocol that is specified in an iptables log message (case&lt;br /&gt;
### insensitively, so both &amp;quot;TCP&amp;quot; or &amp;quot;tcp&amp;quot; is ok).&lt;br /&gt;
### IGNORE_PROTOCOL             tcp,udp;&lt;br /&gt;
IGNORE_PROTOCOLS            NONE;&lt;br /&gt;
&lt;br /&gt;
### allow packets to be ignored based on interface (this is the&lt;br /&gt;
### &amp;quot;IN&amp;quot; interface in iptables logging messages).&lt;br /&gt;
IGNORE_INTERFACES           NONE;&lt;br /&gt;
&lt;br /&gt;
### Ignore these specific logging prefixes&lt;br /&gt;
IGNORE_LOG_PREFIXES         NONE;&lt;br /&gt;
&lt;br /&gt;
### Minimum danger level a scan must reach before any logging or&lt;br /&gt;
### alerting is done.  The EMAIL_ALERT_DANGER_LEVEL variable below&lt;br /&gt;
### only refers to email alerts; the MIN_DANGER_LEVEL variable&lt;br /&gt;
### applies to everything from email alerts to whether or not the&lt;br /&gt;
### IP directory is created within /var/log/psad/.  Hence&lt;br /&gt;
### MIN_DANGER_LEVEL should be set less than or equal to the value&lt;br /&gt;
### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.&lt;br /&gt;
MIN_DANGER_LEVEL            1;&lt;br /&gt;
&lt;br /&gt;
### Only send email alert if danger level &amp;gt;= to this value.&lt;br /&gt;
EMAIL_ALERT_DANGER_LEVEL    1;&lt;br /&gt;
&lt;br /&gt;
### Enable detection of malicious activity that is delivered via IPv6.  If&lt;br /&gt;
### ip6tables is not logging any traffic, then psad won&amp;#039;t know anything&lt;br /&gt;
### about IPv6, or this variable can be set to &amp;quot;N&amp;quot; (this would be slightly&lt;br /&gt;
### faster if ip6tables isn&amp;#039;t logging anything).&lt;br /&gt;
ENABLE_IPV6_DETECTION       Y;&lt;br /&gt;
&lt;br /&gt;
### Treat all subnets on local interfaces as part of HOME_NET (this&lt;br /&gt;
### means that these networks do not have to be manually defined)&lt;br /&gt;
ENABLE_INTF_LOCAL_NETS      Y;&lt;br /&gt;
&lt;br /&gt;
### Include MAC addresses in email alert&lt;br /&gt;
ENABLE_MAC_ADDR_REPORTING   N;&lt;br /&gt;
&lt;br /&gt;
### Look for the iptables logging rule (fwcheck_psad is executed)&lt;br /&gt;
ENABLE_FW_LOGGING_CHECK     Y;&lt;br /&gt;
&lt;br /&gt;
### Send no more than this number of emails for a single&lt;br /&gt;
### scanning source IP.  Note that enabling this feature may cause&lt;br /&gt;
### alerts for real attacks to not be generated if an attack is sent&lt;br /&gt;
### after the email threshold has been reached for an IP address.&lt;br /&gt;
### This is why the default is set to &amp;quot;0&amp;quot;.&lt;br /&gt;
EMAIL_LIMIT                 0;&lt;br /&gt;
&lt;br /&gt;
### By default, psad maintains a counter for each scanning source address,&lt;br /&gt;
### but by enabling this variable psad will maintain email counters for&lt;br /&gt;
### each victim address that is scanned as well.&lt;br /&gt;
ENABLE_EMAIL_LIMIT_PER_DST  N;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, send a status email message when an IP has reached the&lt;br /&gt;
### EMAIL_LIMIT threshold.&lt;br /&gt;
EMAIL_LIMIT_STATUS_MSG      Y;&lt;br /&gt;
&lt;br /&gt;
### This variable is used to have psad throttle the email alerts it sends,&lt;br /&gt;
### and implemented as a per-IP threshold.  That is, if EMAIL_THROTTLE&lt;br /&gt;
### is set to &amp;quot;10&amp;quot;, then psad will only send 1/10th as many emails for each&lt;br /&gt;
### scanning IP as it would have normally.  All other variables also apply,&lt;br /&gt;
### so this throttle value is taken into account after everything else.  The&lt;br /&gt;
### default of zero means to not apply any throttling.&lt;br /&gt;
EMAIL_THROTTLE              0;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, send email for all newly logged packets from the same&lt;br /&gt;
### source ip instead of just when a danger level increases.&lt;br /&gt;
ALERT_ALL                   Y;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, then psad will import old scan source ip directories&lt;br /&gt;
### as current scans instead of moving the directories into the&lt;br /&gt;
### archive directory.&lt;br /&gt;
IMPORT_OLD_SCANS            N;&lt;br /&gt;
&lt;br /&gt;
### syslog facility and priority (the defaults are usually ok)&lt;br /&gt;
### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and&lt;br /&gt;
### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE,&lt;br /&gt;
### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG&lt;br /&gt;
SYSLOG_IDENTITY             psad;&lt;br /&gt;
SYSLOG_FACILITY             LOG_LOCAL7;&lt;br /&gt;
SYSLOG_PRIORITY             LOG_INFO;&lt;br /&gt;
&lt;br /&gt;
### Port thresholds for logging and -S and -A output.&lt;br /&gt;
TOP_PORTS_LOG_THRESHOLD     500;&lt;br /&gt;
STATUS_PORTS_THRESHOLD      20;&lt;br /&gt;
&lt;br /&gt;
### Signature thresholds for logging and -S and -A output.&lt;br /&gt;
TOP_SIGS_LOG_THRESHOLD      500;&lt;br /&gt;
STATUS_SIGS_THRESHOLD       50;&lt;br /&gt;
&lt;br /&gt;
### Attackers thresholds for logging and -S and -A output.&lt;br /&gt;
TOP_IP_LOG_THRESHOLD        500;&lt;br /&gt;
STATUS_IP_THRESHOLD         25;&lt;br /&gt;
&lt;br /&gt;
### Specify how often to log the TOP_* information (i.e. how many&lt;br /&gt;
### CHECK_INTERVAL iterations before the data is logged again).&lt;br /&gt;
TOP_SCANS_CTR_THRESHOLD     1;&lt;br /&gt;
&lt;br /&gt;
### Send scan logs to dshield.org.  This is disabled by default,&lt;br /&gt;
### but is a good idea to enable it (subject to your site security&lt;br /&gt;
### policy) since the DShield service helps to track the bad guys.&lt;br /&gt;
### For more information visit http://www.dshield.org&lt;br /&gt;
ENABLE_DSHIELD_ALERTS       N;&lt;br /&gt;
&lt;br /&gt;
### dshield.org alert email address; this should not be changed&lt;br /&gt;
### unless the guys at DShield have changed it.&lt;br /&gt;
DSHIELD_ALERT_EMAIL         reports@dshield.org;&lt;br /&gt;
&lt;br /&gt;
### Time interval (hours) to send email alerts to dshield.org.&lt;br /&gt;
### The default is 6 hours, and cannot be less than 1 hour or&lt;br /&gt;
### more than 24 hours.&lt;br /&gt;
DSHIELD_ALERT_INTERVAL      6;  ### hours&lt;br /&gt;
&lt;br /&gt;
### If you have a DShield user id you can set it here.  The&lt;br /&gt;
### default is &amp;quot;0&amp;quot;.&lt;br /&gt;
DSHIELD_USER_ID             0;&lt;br /&gt;
&lt;br /&gt;
### If you want the outbound DShield email to appear as though it&lt;br /&gt;
### is coming from a particular user address then set it here.&lt;br /&gt;
DSHIELD_USER_EMAIL          NONE;&lt;br /&gt;
&lt;br /&gt;
### Threshold danger level for DShield data; a scan must reach this&lt;br /&gt;
### danger level before associated packets will be included in an&lt;br /&gt;
### alert to DShield.  Note that zero is the default since this&lt;br /&gt;
### will allow DShield to apply its own logic to determine what&lt;br /&gt;
### constitutes a scan (_all_ iptables log messages will be included&lt;br /&gt;
### in DShield email alerts).&lt;br /&gt;
DSHIELD_DL_THRESHOLD        0;&lt;br /&gt;
&lt;br /&gt;
### List of servers.  Fwsnort supports the same variable resolution as&lt;br /&gt;
#### Snort.&lt;br /&gt;
HTTP_SERVERS                $HOME_NET;&lt;br /&gt;
SMTP_SERVERS                $HOME_NET;&lt;br /&gt;
DNS_SERVERS                 $HOME_NET;&lt;br /&gt;
SQL_SERVERS                 $HOME_NET;&lt;br /&gt;
TELNET_SERVERS              $HOME_NET;&lt;br /&gt;
&lt;br /&gt;
#### AOL AIM server nets&lt;br /&gt;
AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];&lt;br /&gt;
&lt;br /&gt;
### Configurable port numbers&lt;br /&gt;
HTTP_PORTS                  80;&lt;br /&gt;
SHELLCODE_PORTS             !80;&lt;br /&gt;
ORACLE_PORTS                1521;&lt;br /&gt;
&lt;br /&gt;
### If this is enabled, then psad will die if a rule in the&lt;br /&gt;
### /etc/psad/signatures file contains an unsupported option (otherwise&lt;br /&gt;
### a syslog warning will be generated).&lt;br /&gt;
ENABLE_SNORT_SIG_STRICT     Y;&lt;br /&gt;
&lt;br /&gt;
### If &amp;quot;Y&amp;quot;, enable automated IDS response (auto manages&lt;br /&gt;
### firewall rulesets).&lt;br /&gt;
ENABLE_AUTO_IDS             N;&lt;br /&gt;
&lt;br /&gt;
### Block all traffic from offending IP if danger&lt;br /&gt;
### level &amp;gt;= to this value&lt;br /&gt;
AUTO_IDS_DANGER_LEVEL       5;&lt;br /&gt;
&lt;br /&gt;
### Set the auto-blocked timeout in seconds (the default&lt;br /&gt;
### is one hour).&lt;br /&gt;
AUTO_BLOCK_TIMEOUT          3600;&lt;br /&gt;
&lt;br /&gt;
### Set the auto-blocked timeout in seconds for each danger&lt;br /&gt;
### level - zero means to block permanently.  Each of these&lt;br /&gt;
### can be set independently&lt;br /&gt;
AUTO_BLOCK_DL1_TIMEOUT      $AUTO_BLOCK_TIMEOUT;&lt;br /&gt;
AUTO_BLOCK_DL2_TIMEOUT      $AUTO_BLOCK_TIMEOUT;&lt;br /&gt;
AUTO_BLOCK_DL3_TIMEOUT      $AUTO_BLOCK_TIMEOUT;&lt;br /&gt;
AUTO_BLOCK_DL4_TIMEOUT      $AUTO_BLOCK_TIMEOUT;&lt;br /&gt;
AUTO_BLOCK_DL5_TIMEOUT      0;   ### permanent&lt;br /&gt;
&lt;br /&gt;
### Enable regex checking on log prefixes for active response&lt;br /&gt;
ENABLE_AUTO_IDS_REGEX       N;&lt;br /&gt;
&lt;br /&gt;
### Only block if the iptables log message matches the following regex&lt;br /&gt;
AUTO_BLOCK_REGEX            ESTAB;  ### from fwsnort logging prefixes&lt;br /&gt;
&lt;br /&gt;
### Control whether &amp;quot;renew&amp;quot; auto-block emails get sent.  This is disabled&lt;br /&gt;
### by default because lots of IPs could have been blocked, and psad&lt;br /&gt;
### should not generate a renew email for each of them.&lt;br /&gt;
ENABLE_RENEW_BLOCK_EMAILS   N;&lt;br /&gt;
&lt;br /&gt;
### By setting this variable to N, all auto-blocking emails can be&lt;br /&gt;
### suppressed.&lt;br /&gt;
ENABLE_AUTO_IDS_EMAILS      Y;&lt;br /&gt;
&lt;br /&gt;
### Enable iptables blocking (only gets enabled if&lt;br /&gt;
### ENABLE_AUTO_IDS is also set)&lt;br /&gt;
IPTABLES_BLOCK_METHOD       Y;&lt;br /&gt;
&lt;br /&gt;
### Specify chain names to which iptables blocking rules will be&lt;br /&gt;
### added with the IPT_AUTO_CHAIN{n} keyword.  There is no limit on the&lt;br /&gt;
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number&lt;br /&gt;
### to add an additional IPT_AUTO_CHAIN requirement. The format for this&lt;br /&gt;
### variable is: &amp;lt;Target&amp;gt;,&amp;lt;Direction&amp;gt;,&amp;lt;Table&amp;gt;,&amp;lt;From_chain&amp;gt;,&amp;lt;Jump_rule_position&amp;gt;, \&lt;br /&gt;
###              &amp;lt;To_chain&amp;gt;,&amp;lt;Rule_position&amp;gt;.&lt;br /&gt;
### &amp;quot;Target&amp;quot;: Can be any legitimate iptables target, but should usually&lt;br /&gt;
###           just be &amp;quot;DROP&amp;quot;.&lt;br /&gt;
### &amp;quot;Direction&amp;quot;: Can be &amp;quot;src&amp;quot;, &amp;quot;dst&amp;quot;, or &amp;quot;both&amp;quot;, which correspond to the&lt;br /&gt;
###              INPUT, OUTPUT, and FORWARD chains.&lt;br /&gt;
### &amp;quot;Table&amp;quot;: Can be any iptables table, but the default is &amp;quot;filter&amp;quot;.&lt;br /&gt;
### &amp;quot;From_chain&amp;quot;: Is the chain from which packets will be jumped.&lt;br /&gt;
### &amp;quot;Jump_rule_position&amp;quot;: Defines the position within the From_chain where&lt;br /&gt;
###                       the jump rule is added.&lt;br /&gt;
### &amp;quot;To_chain&amp;quot;: Is the chain to which packets will be jumped. This is the&lt;br /&gt;
###             main chain where psad rules are added.&lt;br /&gt;
### &amp;quot;Rule_position&amp;quot;: Defines the position where rule are added within the&lt;br /&gt;
###                  To_chain.&lt;br /&gt;
###&lt;br /&gt;
### The following defaults make sense for most installations, but note&lt;br /&gt;
### it is possible to include blocking rules in, say, the &amp;quot;nat&amp;quot; table&lt;br /&gt;
### using this functionality as well.  The following three lines provide&lt;br /&gt;
### usage examples:&lt;br /&gt;
#IPT_AUTO_CHAIN1              DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;&lt;br /&gt;
#IPT_AUTO_CHAIN2              DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;&lt;br /&gt;
#IPT_AUTO_CHAIN3              DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;&lt;br /&gt;
IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;&lt;br /&gt;
IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;&lt;br /&gt;
IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;&lt;br /&gt;
&lt;br /&gt;
### Flush all existing rules in the psad chains at psad start time.&lt;br /&gt;
FLUSH_IPT_AT_INIT           Y;&lt;br /&gt;
&lt;br /&gt;
### Prerequisite check for existence of psad chains and jump rules&lt;br /&gt;
IPTABLES_PREREQ_CHECK       1;&lt;br /&gt;
&lt;br /&gt;
### Enable tcp wrappers blocking (only gets enabled if&lt;br /&gt;
### ENABLE_AUTO_IDS is also set)&lt;br /&gt;
TCPWRAPPERS_BLOCK_METHOD    N;&lt;br /&gt;
&lt;br /&gt;
### Set the whois timeout&lt;br /&gt;
WHOIS_TIMEOUT               60;  ### seconds&lt;br /&gt;
&lt;br /&gt;
### Set the number of times an ip can be seen before another whois&lt;br /&gt;
### lookup is issued.&lt;br /&gt;
WHOIS_LOOKUP_THRESHOLD      20;&lt;br /&gt;
&lt;br /&gt;
### Use this option to force all whois information to contain ascii-only data.&lt;br /&gt;
### Sometime whois information for IP addresses in China and other countries&lt;br /&gt;
### can contain non-ascii data.  If this option is enabled, then any non-&lt;br /&gt;
### ascii characters will be replaced with &amp;quot;NA&amp;quot;.&lt;br /&gt;
ENABLE_WHOIS_FORCE_ASCII    N;&lt;br /&gt;
&lt;br /&gt;
### This variable forces all whois lookups to be done against the source IP&lt;br /&gt;
### even when they are associated with a directly connected local network.  IT&lt;br /&gt;
### is usually a good idea to leave this setting as the default of &amp;#039;N&amp;#039;.&lt;br /&gt;
ENABLE_WHOIS_FORCE_SRC_IP   N;&lt;br /&gt;
&lt;br /&gt;
### Set the number of times an ip can be seen before another dns&lt;br /&gt;
### lookup is issued.&lt;br /&gt;
DNS_LOOKUP_THRESHOLD        20;&lt;br /&gt;
&lt;br /&gt;
### Enable psad to run an external script or program (use at your&lt;br /&gt;
### own risk!)&lt;br /&gt;
ENABLE_EXT_SCRIPT_EXEC      N;&lt;br /&gt;
&lt;br /&gt;
### Define an external program to run after a scan is caught.&lt;br /&gt;
### Note that the scan source ip can be specified on the command&lt;br /&gt;
### line to the external program through the use of the &amp;quot;SRCIP&amp;quot;&lt;br /&gt;
### string (along with some appropriate switch for the program).&lt;br /&gt;
### Of course this is only useful if the external program knows&lt;br /&gt;
### what to do with this information.&lt;br /&gt;
### Example:  EXTERNAL_SCRIPT       /path/to/script --ip SRCIP -v;&lt;br /&gt;
EXTERNAL_SCRIPT             /bin/true;&lt;br /&gt;
&lt;br /&gt;
### Control execution of EXTERNAL_SCRIPT (only once per IP, or&lt;br /&gt;
### every time a scan is detected for an ip).&lt;br /&gt;
EXEC_EXT_SCRIPT_PER_ALERT   N;&lt;br /&gt;
&lt;br /&gt;
### Disk usage variables&lt;br /&gt;
DISK_CHECK_INTERVAL         300;  ### seconds&lt;br /&gt;
&lt;br /&gt;
### This can be set to 0 to disable disk checking altogether&lt;br /&gt;
DISK_MAX_PERCENTAGE         95;&lt;br /&gt;
&lt;br /&gt;
### This can be set to 0 to have psad not place any limit on the&lt;br /&gt;
### number of times it will attempt to remove data from&lt;br /&gt;
### /var/log/psad/.&lt;br /&gt;
DISK_MAX_RM_RETRIES         10;&lt;br /&gt;
&lt;br /&gt;
### Enable archiving of old scan directories at psad startup.&lt;br /&gt;
ENABLE_SCAN_ARCHIVE         N;&lt;br /&gt;
&lt;br /&gt;
### Truncate fwdata file at startup&lt;br /&gt;
TRUNCATE_FWDATA             Y;&lt;br /&gt;
&lt;br /&gt;
### Only archive scanning IP directories that have reached a danger&lt;br /&gt;
### level greater than or equal to this value.  Archiving old&lt;br /&gt;
### scanning ip directories only takes place at psad startup.&lt;br /&gt;
MIN_ARCHIVE_DANGER_LEVEL    1;&lt;br /&gt;
&lt;br /&gt;
### Email subject line config.  Change these prefixes if you want&lt;br /&gt;
### psad to generate email alerts that say something other than&lt;br /&gt;
### the following.&lt;br /&gt;
MAIL_ALERT_PREFIX           [psad-alert];&lt;br /&gt;
MAIL_STATUS_PREFIX          [psad-status];&lt;br /&gt;
MAIL_ERROR_PREFIX           [psad-error];&lt;br /&gt;
MAIL_FATAL_PREFIX           [psad-fatal];&lt;br /&gt;
&lt;br /&gt;
### URL for getting the latest psad signatures&lt;br /&gt;
SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;&lt;br /&gt;
&lt;br /&gt;
### These next two are psadwatchd vars&lt;br /&gt;
PSADWATCHD_CHECK_INTERVAL   5;  ### seconds&lt;br /&gt;
PSADWATCHD_MAX_RETRIES      10;&lt;br /&gt;
&lt;br /&gt;
### Directories&lt;br /&gt;
INSTALL_ROOT                /;&lt;br /&gt;
PSAD_DIR                    $INSTALL_ROOT/var/log/psad;&lt;br /&gt;
PSAD_RUN_DIR                $INSTALL_ROOT/var/run/psad;&lt;br /&gt;
PSAD_FIFO_DIR               $INSTALL_ROOT/var/lib/psad;&lt;br /&gt;
PSAD_LIBS_DIR               $INSTALL_ROOT/usr/lib/psad;&lt;br /&gt;
PSAD_CONF_DIR               $INSTALL_ROOT/etc/psad;&lt;br /&gt;
PSAD_ERR_DIR                $PSAD_DIR/errs;&lt;br /&gt;
CONF_ARCHIVE_DIR            $PSAD_DIR/archive;&lt;br /&gt;
SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;&lt;br /&gt;
ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;&lt;br /&gt;
SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;&lt;br /&gt;
FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  ### may not exist&lt;br /&gt;
&lt;br /&gt;
### Files&lt;br /&gt;
FW_DATA_FILE                $PSAD_DIR/fwdata;&lt;br /&gt;
ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;&lt;br /&gt;
FW_CHECK_FILE               $PSAD_DIR/fw_check;&lt;br /&gt;
DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;&lt;br /&gt;
SIGS_FILE                   $PSAD_CONF_DIR/signatures;&lt;br /&gt;
PROTOCOLS_FILE              $PSAD_CONF_DIR/protocols;&lt;br /&gt;
ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;&lt;br /&gt;
ICMP6_TYPES_FILE            $PSAD_CONF_DIR/icmp6_types;&lt;br /&gt;
AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;&lt;br /&gt;
SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;&lt;br /&gt;
POSF_FILE                   $PSAD_CONF_DIR/posf;&lt;br /&gt;
P0F_FILE                    $PSAD_CONF_DIR/pf.os;&lt;br /&gt;
IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;&lt;br /&gt;
PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;&lt;br /&gt;
ETC_HOSTS_DENY_FILE         /etc/hosts.deny;&lt;br /&gt;
ETC_SYSLOG_CONF             /etc/syslog.conf;&lt;br /&gt;
ETC_RSYSLOG_CONF            /etc/rsyslog.conf;&lt;br /&gt;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;&lt;br /&gt;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;&lt;br /&gt;
STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;&lt;br /&gt;
ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;&lt;br /&gt;
INSTALL_LOG_FILE            $PSAD_DIR/install.log;&lt;br /&gt;
&lt;br /&gt;
### PID files&lt;br /&gt;
PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;&lt;br /&gt;
PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;&lt;br /&gt;
KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;&lt;br /&gt;
PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;&lt;br /&gt;
&lt;br /&gt;
### List of ips that have been auto blocked by iptables&lt;br /&gt;
### or tcpwrappers (the auto blocking feature is disabled by&lt;br /&gt;
### default, see the psad man page and the ENABLE_AUTO_IDS&lt;br /&gt;
### variable).&lt;br /&gt;
AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;&lt;br /&gt;
AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;&lt;br /&gt;
&lt;br /&gt;
### File used internally by psad to add iptables blocking&lt;br /&gt;
### rules to a running psad process&lt;br /&gt;
AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;&lt;br /&gt;
&lt;br /&gt;
FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;&lt;br /&gt;
PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;&lt;br /&gt;
&lt;br /&gt;
### /proc interface for controlling ip forwarding&lt;br /&gt;
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;&lt;br /&gt;
&lt;br /&gt;
### Packet counters for tcp, udp, and icmp protocols&lt;br /&gt;
PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;&lt;br /&gt;
&lt;br /&gt;
### Top scanned ports&lt;br /&gt;
TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;&lt;br /&gt;
&lt;br /&gt;
### Top signature matches&lt;br /&gt;
TOP_SIGS_FILE               $PSAD_DIR/top_sigs;&lt;br /&gt;
&lt;br /&gt;
### Top attackers&lt;br /&gt;
TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;&lt;br /&gt;
&lt;br /&gt;
### Counter file for Dshield alerts&lt;br /&gt;
DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;&lt;br /&gt;
&lt;br /&gt;
### Counter file for iptables prefixes&lt;br /&gt;
IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;&lt;br /&gt;
&lt;br /&gt;
### iptables command output and error collection files; these are&lt;br /&gt;
### used by IPTables::ChainMgr&lt;br /&gt;
IPT_OUTPUT_FILE             $PSAD_DIR/psad.iptout;&lt;br /&gt;
IPT_ERROR_FILE              $PSAD_DIR/psad.ipterr;&lt;br /&gt;
&lt;br /&gt;
### system binaries&lt;br /&gt;
iptablesCmd      /sbin/iptables;&lt;br /&gt;
#ip6tablesCmd     /sbin/ip6tables;&lt;br /&gt;
ip6tablesCmd     /bin/true&lt;br /&gt;
shCmd            /bin/sh;&lt;br /&gt;
wgetCmd          /usr/bin/wget;&lt;br /&gt;
gzipCmd          /bin/gzip;&lt;br /&gt;
mknodCmd         /bin/mknod;&lt;br /&gt;
psCmd            /bin/ps;&lt;br /&gt;
mailCmd          /bin/mail;&lt;br /&gt;
sendmailCmd      /usr/sbin/sendmail;&lt;br /&gt;
ifconfigCmd      /sbin/ifconfig;&lt;br /&gt;
ipCmd            /sbin/ip;&lt;br /&gt;
killallCmd       /usr/bin/killall;&lt;br /&gt;
netstatCmd       /bin/netstat;&lt;br /&gt;
unameCmd         /bin/uname;&lt;br /&gt;
whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;&lt;br /&gt;
dfCmd            /bin/df;&lt;br /&gt;
fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;&lt;br /&gt;
psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;&lt;br /&gt;
kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;&lt;br /&gt;
psadCmd          $INSTALL_ROOT/usr/sbin/psad;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
Pour mettre à jour les règles, entrez la commande suivante dans un terminal :&lt;br /&gt;
&lt;br /&gt;
 psad --sig-update&lt;/div&gt;</summary>
		<author><name>Didier</name></author>
	</entry>
</feed>