Linux Firewalls - Michael Rash [77]
[iptablesfw]# psad --Status
❶ [+] psadwatchd (pid: 27812) %CPU: 0.0 %MEM: 0.0
Running since: Mon Jul 2 13:58:07 2007
[+] kmsgsd (pid: 27810) %CPU: 0.0 %MEM: 0.0
Running since: Mon Jul 2 13:58:07 2007
[+] psad (pid: 27808) %CPU: 0.0 %MEM: 0.9
Running since: Mon Jul 2 13:58:07 2007
Command-line arguments: [none specified]
Alert email address(es): mbr@cipherdyne.org
[+] Version: psad v2.0.4
❷ [+] Top 50 signature matches:
"SCAN FIN" (tcp), Count: 3229, Unique sources: 1, Sid: 621
"MISC VNC communication attempt" (tcp), Count: 104, Unique sources: 22,
Sid: 100202
"MISC Microsoft SQL Server communication attempt" (tcp), Count: 81,
Unique sources: 11, Sid: 100205
"MISC Windows popup spam attempt" (udp), Count: 45, Unique sources: 42,
Sid: 100196
❸ [+] Top 25 attackers:
144.202.X.X DL: 4, Packets: 6571, Sig count: 3311
32.127.X.X DL: 3, Packets: 188, Sig count: 96
124.224.X.X DL: 2, Packets: 1, Sig count: 1
❹ [+] Top 20 scanned ports:
tcp 135 200 packets
tcp 445 197 packets
tcp 139 126 packets
udp 1027 22 packets
udp 1026 22 packets
udp 1434 13 packets
❺ [+] iptables log prefix counters:
"DROP": 4157
"DROP INVALID": 3251
❻ DShield stats:
total emails: 5
total packets: 711
❼ iptables auto-blocked IPs:
[NONE]
❽ [+] IP Status Detail:
SRC: 144.202.X.X, DL: 4, Dsts: 1, Pkts: 6571, Unique sigs: 1, Email alerts: 11
Source OS fingerprint(s):
SunOS:4.1::SunOS 4.1.X
DST: 71.157.X.X, Local IP
Scanned ports: tcp 1-65301, Pkts: 6571, Chain: INPUT, Intf: eth0
Signature match: "SCAN FIN"
tcp, Chain: INPUT, Count: 464, DP: 132, FIN, Sid: 621
SRC: 71.157.X.X, DL: 3, Dsts: 1, Pkts: 188, Unique sigs: 1, Email alerts: 147
DST: 71.157.X.X, Local IP
Scanned ports: tcp 135-5900, Pkts: 188, Chain: INPUT, Intf: eth0
Signature match: "MISC Microsoft SQL Server communication attempt"
tcp, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205
Total scan sources: 97
Total scan destinations: 3
[+] These results are available in: /var/log/psad/status.out
Listing 7-1:psad --Status output
The output above contains several sections that are each designed to inform you about a different set of characteristics of all attacks that psad is currently tracking (with the highest-level summary information near the top). These sections are as follows:
psad Process Status Information
At ❶ you'll see psad process status information, including the process ID, how long the process has been running, and the percentage of both the CPU and main memory that the process is currently using. Specifically for the psad daemon, the output also includes the command-line arguments (if any) the daemon was started with, and the email address(es) to which psad has been configured to send alert emails.
Top 50 Signature Matches
At ❷ the status output displays the top 50 signature matches. To have psad display more than just the top 50 matches, increase the value of the STATUS_SIGS_THRESHOLD variable in the /etc/psad/psad.conf file.
Top 25 Attackers
At ❸ is a listing of the top 25 attacking IP addresses. To have psad display more than the top 25 attackers, increase the value of the STATUS_IP_THRESHOLD variable in psad.conf. With the listing of the top attackers, it is possible for you to make informed decisions about those IP addresses on the open Internet that are potentially hostile to your system.
Top 20 Scanned Ports
At ❹ begins the top 20 scanned TCP and UDP ports. You can display more than the top 20 by increasing the STATUS_PORTS_THRESHOLD variable in psad.conf. If there is a worm on the loose for a particular service, the top 20 scanned ports might help to illustrate increased worm activity against that service. If you have systems in your network that are vulnerable to the attack exploited by such a worm, this output can help you focus your efforts on removing the vulnerability from