Linux Firewalls - Michael Rash [59]
SHOW_ALL_SIGNATURES
This variable controls whether or not psad includes all signature alert information associated with an IP address in every alert (see Chapter 7 for examples of signature information included within psad alerts). It is disabled by default because it can result in lengthy email alerts from psad if a particular IP address is consistently hitting your site with suspicious traffic over long periods of time. However, psad email alerts will include all newly triggered signatures in the last CHECK_INTERVAL, even when SHOW_ALL_SIGNATURES is disabled.
ALERT_ALL
When set to Y, this variable instructs psad to generate email and/or syslog alerts whenever new malicious activity is seen from an IP address, as long as a danger level of one has been reached. If set to N, psad will only generate alerts when the danger level associated with an IP address increases.
SNORT_SID_STR
This variable defines a substring to match against iptables log messages to see if any of the messages were generated by an iptables rule that completely characterizes a Snort rule. Such iptables rules are produced by fwsnort (see Chapter 9 and Chapter 10), and they generally contain a logging prefix of SID{n}, where {n} is the Snort ID number derived from the original Snort rule. The default value for SNORT_SID_STR is just SID.
ENABLE_AUTO_IDS
If set to Y, this variable transforms psad from a passively monitoring daemon into a program that actively responds to attacks by dynamically reconfiguring the local iptables policy to block an offending IP address from interacting with the local system (via the INPUT and OUTPUT chains) and with all systems that may be protected by the local system (via the FORWARD chain). Chapter 8 discusses the implications of this feature, as well as how to use it effectively. Several auto-response variables are not discussed here but can be found in Chapter 8.
IMPORT_OLD_SCANS
The information that psad collects about port scans and other suspicious activities is written to the /var/log/psad directory. For every IP address that reaches a danger level of one, a new directory /var/log/psad/ip is created. Various files stored within this directory include the latest email alert, whois output, signature matches, danger level, and packet counters. At start time, psad normally removes any existing /var/log/psad/ip directories, but you can have psad import all data from these old directories by setting IMPORT_OLD_SCANS to Y. This feature allows you to restart psad or to reboot the entire system without losing scan data from the previous psad instance.
ENABLE_DSHIELD_ALERTS
Set this variable to Y to allow psad to send scan data to the DShield distributed intrusion detection system. Since scan information can be sensitive, you should be aware that when you pass your scan data to DShield, it is no longer in your control and is parsed into a relatively open database. However, DShield allows people to gain a better understanding of things such as the most commonly attacked services and even which IP address is currently attacking the most systems (making that IP address a good candidate for fairly draconian firewall rules). I highly recommend enabling this feature in psad, unless there is a strict requirement (which may be derived from a site security policy, for instance) not to communicate scan information specifically to DShield; the more people who enable this feature, the safer the Internet becomes for everyone.
IGNORE_PORTS
A key feature of many intrusion detection systems is the ability to filter out certain pieces of data that the administrator wants the IDS to completely ignore. The IGNORE_PORTS variable instructs