Linux Firewalls - Michael Rash [78]
Logging Prefixes
Line ❺ records the logging prefixes that are being tracked by psad. If you run fwsnort (discussed in Chapter 9, Chapter 10, and Chapter 11), this section can contain quite a lot of information, because each fwsnort iptables rule has its own logging prefix that corresponds to a different Snort signature. This section gives you an overview of the logging prefixes that are most commonly triggered in your iptables policy—the logging prefixes are displayed in order, starting with the prefix that is triggered the most.
DShield Statistics
At ❻ is the number of email alerts that have been sent to the DShield distributed IDS. Also displayed are the total number of packets collected by psad and sent to DShield for additional analysis.
Automatically Blocked IP Addresses
Line ❼ shows IP addresses that have been blocked by psad. This requires that ENABLE_AUTO_IDS is set to Y. The auto-response information is always displayed in the status output, even if ENABLE_AUTO_IDS is set to N because psad could have blocked a set of IP addresses in a previous execution where the auto-response feature was enabled (even if it isn't currently enabled in the running psad instance).
Scanning IP Address Detail
At ❽ begins a listing of all source IP addresses that psad is currently tracking and has assigned at least DANGER_LEVEL1 as a severity measure of the suspicious traffic monitored from each address. Also included in each IP address line are the iptables chain and input interface that logged the suspicious packets, a breakdown of the number of TCP, UDP, and ICMP packets from the source IP address, the current danger level, the number of email alerts, and finally, a guess of the operating system that generated the suspicious traffic (see "Passive OS Fingerprinting with p0f" on page 120).
Note
Even though psad is good about writing scan information to disk within the /var/log/psad directory, there is yet another way to get information on how the running psad daemon is performing. By executing the command psad -U (as root), the running psad instance will receive a USR1 signal that instructs it to use the Data::Dumper Perl module to dump the contents of the main hash data structure used internally to track scan information to disk. The resulting file is /var/log/psad/scan_hash.pid, where pid is the process ID of the running psad daemon. An example of this output can be downloaded from http://www.cipherdyne.org/linuxfirewalls.
Forensics Mode
Many people have old syslog files that contain iptables log data lying around on their systems. By using psad in forensics mode, these old logfiles can be used to inform you of suspicious traffic that took place in the past against your system. This information can become particularly helpful if you are trying to track down a real intrusion and want to see what IP addresses may have been scanning your system around the time of a compromise. To run psad in forensics mode, use the -A command-line switch as shown in bold in Listing 7-2 (some output has been abbreviated):
[iptablesfw]# psad -A
[+] Entering analysis mode. Parsing /var/log/messages
[+] Found 8804 iptables log messages out of 10000 total lines.
[+] Processed 1600 packets...
[+] Processed 8800 packets...
[+] Assigning scan danger levels...
Level 1: 3 IP addresses
Level 2: 214 IP addresses
Level 3: 3 IP addresses
Level 4: 2 IP addresses
Level 5: 0 IP addresses
Tracking 222 total IP addresses
Listing 7-2: psad forensics output
The output in Listing 7-2 includes information to inform you of the total number of iptables log messages psad parsed from the logfile. The output also lists the total number of IP addresses for each of the five danger levels. The remainder of the forensics output (not displayed here, for brevity) is similar to the --Status output from the previous section. This includes verbose information about the top scanned ports, top attackers, signature matches, and more.
By default, when in forensics mode, psad parses iptables log messages out of the /var/log/messages