Linux Firewalls - Michael Rash [60]
IGNORE_PORTS udp/53, udp/5000, tcp/51000-61356;
Rather than using the IGNORE_PORTS variable, you could tune your iptables policy so that packets to ports you want to ignore are matched by a rule before they hit the LOG rule.
IGNORE_PROTOCOLS
With the IGNORE_PROTOCOLS variable, psad can be instructed to ignore entire protocols. It is usually better to tune your iptables policy to not log protocols you wish to ignore in the first place, but if you wish to have psad ignore all ICMP packets, for example, you can set IGNORE_PROTOCOLS like so:
IGNORE_PROTOCOLS icmp;
IGNORE_LOG_PREFIXES
You'll find that iptables policies can be quite complex and include many different logging rules—each potentially with its own logging prefix. If you want psad to ignore a certain logging prefix (e.g., DROP:INPUT5:eth1), you can set IGNORE_LOG_PREFIXES like this:
IGNORE_LOG_PREFIXES DROP:INPUT5:eth1;
EMAIL_LIMIT
In some circumstances an iptables policy is configured to log certain traffic that is not malicious, and this traffic may repeat over and over again on a network (for example, DNS requests to a specific DNS server). If psad interprets such traffic as a scan, then psad may send a lot of email alerts for the traffic because it repeats itself. You can force psad to impose a limit on the number of email alerts that are sent for any scanning IP address by using the EMAIL_LIMIT variable. The default is zero, which means that no limit is imposed, but if you set it to 50, then psad will send no more than 50 email alerts for a given IP address:
EMAIL_LIMIT 50;
ALERTING_METHODS
Most administrators use both the email and syslog reporting modes offered by psad, but the ALERTING_METHODS variable gives you control over whether psad generates email or syslog alerts. The ALERTING_METHODS variable accepts three values: noemail, nosyslog, and ALL. The noemail and nosyslog values instruct psad to send no email or no syslog alerts; these values can be combined to disable all alerting. The default is to generate both email and syslog alerts:
ALERTING_METHODS ALL;
FW_MSG_SEARCH
The FW_MSG_SEARCH variable defines how psad searches iptables log messages. To restrict psad to analyze only those log messages that contain a specific log prefix (defined in an iptables LOG rule with the --log-prefix argument to iptables), define the prefix with the FW_MSG_SEARCH variable. This allows iptables to be configured to assign other log prefixes to packets without having psad analyze them.
For example, to have psad analyze only iptables log messages that contain the string DROP, configure the FW_MSG_SEARCH variable like so:
FW_MSG_SEARCH DROP;
/etc/psad/auto_dl
As with any IDS, there is always a high probability of false positives. Hence, every IDS should be equipped with a whitelisting capability by which certain systems, networks, ports, or protocols can be excluded from any detection mechanism and (most importantly) any automated response features. Because certain IP addresses or networks may be known bad actors, there should also be a provision to blacklist them.
These requirements are met in psad's auto_dl file, which follows this syntax:
ip/network danger level optional protocol/optional ports
If the danger level is set to zero, psad will completely ignore the IP address or network. However, the danger level can be set as high as five if a particular IP address or network is known to be extremely malicious.
For example, the first of the following two lines ensures that psad will ignore all traffic from the IP address 192.168.10.3; the second line immediately escalates all TCP port 22 (SSH) traffic to a danger level of five from the 10.10.1.0/24 network:
192.168.10.3 0;
10.10.1.0/24 5 tcp/22;
/etc/psad/signatures
The /etc/psad/signatures file contains a set of about 200 slightly modified Snort rules. These rules represent attacks