Linux Firewalls - Michael Rash [79]
[iptablesfw]# psad -A -m /some/file/path
Note
In Chapter 14, we will use psad to analyze and visualize some of the iptables log data from the Hone ynet Project (http://www.honeynet.org).
Verbose/Debug Mode
To have a look at the inner workings of psad as it monitors iptables log messages, run psad in a highly verbose mode with the --debug switch:
[iptablesfw]# psad --debug
This instructs psad to not become a daemon; it can then display information on STDERR as it runs. This information includes everything from MAC addresses to passive OS fingerprinting information. Here's a sample of this output:
❶ Jul 11 16:21:31 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:13:d3:38:b6:e4:
00:90:1a:a0:1c:ec:08:00 SRC=12.17.X.X DST=71.157.X.X LEN=64 TOS=0x00 PREC=0x00
TTL=43 ID=38577 DF PROTO=TCP SPT=38970 DPT=12754 WINDOW=53760 RES=0x00
SYN URGP=0 OPT (020405B4010303030101080A000000000000000001010402)
[+] src mac addr: 00:90:1a:a0:1c:ec
[+] dst mac addr: 00:13:d3:38:b6:e4
❷ [+] valid packet: 12.17.X.X (38970) -> 71.157.X.X (12754) tcp
[+] assign_auto_danger_level() returned: −1
❸ [+] p0f(): 71.127.83.50 len: 64, frag_bit: 1, ttl: 43, win: 53760
[+] MSS: 1460, NOP, Win Scale: 3, NOP, NOP, Timestamp: 0, NOP, NOP, SACK
[+] match_snort_keywords()
[+] packet matched matched tcp keywords for sid: 247 (psad_id: 100011)
❹ "DDOS mstream client to handler"
[+] match_snort_keywords()
[+] match_snort_keywords()
[+] assign_danger_level(): source IP: 12.17.X.X (dl: 0)
❺ [+] assign_danger_level(): DL (after assignment) = 2
[+] scan_logr(): source IP: 12.17.X.X
[+] scan_logr(): dst IP: 71.157.X.X
❻ [+] scan_logr(): generating email.....
[+] scan_logr_signatures(): src: 12.17.X.X dst: 71.157.X.X proto: tcp
[+] MAIN: number of new packets: 0
At ❶ above, the original iptables log message is printed to the screen by psad so that you can see the data source psad analyzes in the remainder of the output. At ❷ the valid packet string indicates that the iptables log message is intact and contains all expected header fields (in this case, for a TCP packet). At ❸ the passive OS fingerprinting algorithm is executed, and at ❹ psad determines that the TCP packet matches the DDOS mstream client to handler signature from the /etc/psad/signatures file. At ❺ psad assigns a danger level of 2 to the source IP address 12.17.X.X because of the Snort signature match, and finally a psad email alert is generated at ❻.
Finally, two additional command-line switches that can help you to get even more information from psad: -D and --fw-dump. The -D option instructs psad to dump its configuration on STDOUT along with the specifics of the version of Perl on the local system, and the --fw-dump option instructs psad to display the current iptables policy.
Note
psad is careful to not include sensitive information in the -D or --fw-dump output (including email addresses, DShield usernames, IP addresses, and the like), so you can freely email the output to others for comment. This feature is useful for diagnosing tricky problems related to scan and attack detection because it enables people to work against the same configuration.
Concluding Thoughts
In this chapter we've covered some of the more advanced features offered by psad to analyze iptables log messages for evidence of attacks that exist in packet headers, and to passively fingerprint remote operating systems and report information to DShield. None of these activities involve actively responding to attacks, or the detection of suspicious application layer payloads. In Chapter 8, we'll see how psad can dynamically instantiate blocking rules against an attacker, and in Chapter 9 we'll see how iptables rules can emulate Snort rules with full application layer matching capabilities.
Chapter 8. ACTIVE RESPONSE WITH PSAD
One feature that is commonly sought after in intrusion detection systems is the ability to automatically respond to an attack. Such responses for network traffic can take many forms against