April 26, 2005

Detecting suspicious network traffic with psad

Author: Paul Virijevich

Have you ever wondered how many people are scanning your server looking for weaknesses? One way to find out is to install the Port Scan Attack Detector (psad), is a collection of three lightweight system daemons that alert you to suspicious network activity by analyzing iptables log files.

With psad you can:

  • Detect port scans
  • View a report of all attacks, along with system resources consumed by PSAD
  • Detect application layer attacks using Snort rulesets
  • Block IP addresses in real time
  • Receive comprehensive email alerts
  • Report attacks to Dshield

psad requires only an iptables firewall with logging enabled. To enable logging, add:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

to the end of your firewall script.

Once you've met the requirements, install psad using the installation script included in the product's download. Just run the script install.pl and answer a few simple questions about your system's configuration. If you need to make future changes to psad's configuration, you can edit its configuration file, /etc/psad/psad.conf.

When you start psad with the command /etc/rc.d/psad start, you actually start psad and its two helper daemons, kmsgsd and psadwatchd. kmsgsd parses out all of the iptables-related messages that the kernel receives and sends them to psad's data file /var/log/psad/fwdata. The psadwatchd daemon runs every five seconds to make sure that both psad and kmsgsd are running. If they are not, it restarts them and sends an email alerting the system administrator to this fact.

To view a status report, use the command /etc/rc.d/psad status. The report shows the amount of resources each of the daemons uses, along with information about any scans psad detects. A status report looks something like this:

[+] psadwatchd (pid: 4246) %CPU: 0.0 %MEM: 0.1
Running since: Tue Apr 5 09:45:11 2005

[+] kmsgsd (pid: 4244) %CPU: 0.0 %MEM: 0.1
Running since: Tue Apr 5 09:45:11 2005

[+] psad (pid: 4242) %CPU: 2.8 %MEM: 3.3
Running since: Tue Apr 5 09:45:11 2005
Command line arguments: [none specified]
Alert email address(es): root@test.internal root@test.internal.

src:dst:chain:intf:tcp:udp:icmp:dl:alerts:os_guess:127.0.0.1127.0.0.1INPUTlo380004414-

Iptables prefix counters:
[NONE]

Total scan sources: 1
Total scan destinations: 1

Total packet counters:
tcp: 3800
udp: 24
icmp: 4

One interesting feature of psad is its ability to block port scans in real time. To do this, edit the configuration file and change the parameter:

ENABLE_AUTO_IDS N;
to
ENABLE_AUTO_IDS Y;

This feature is disabled by default because it is likely the port scans are coming from a spoofed IP address. However, with psad it is possible to only block an IP after a certain number of offending packets have been received by using a danger level. Danger levels are defined in the configuration file. To set a danger level for when to automatically block an IP address, set the parameter:

AUTO_IDS_DANGER_LEVEL;
to
AUTO_IDS_DANGER_LEVEL 5;

This will block an IP address after it reaches danger level 5, which occurs after 10,000 packets have been received from the same IP address.

Another feature of psad is the ability to detect application layer attacks using Snort rulesets and the iptables string match extension, by using the companion program fwsnort. fwsnort builds iptables rulesets that are equivalent to Snort's using the iptables string match extension. This works for approximately 70% of Snort rules. This option is available only if you are running a 2.4 series kernel, because the string match extension has yet to be ported to the 2.6 kernel.

psad sends email alerts to the system administrator whenever it detects suspicious activity. By default, it sends alerts whenever two or more of your ports are scanned. You can make these alerts less sensitive by changing the parameter:

PORT_RANGE_SCAN_THRESHOLD 1;

to a number representing a higher range of ports. To view sample alerts for port scans and application layer attacks, visit the project Web site.

Another great feature of psad is its ability to send reports to the Dshield project. Dshield tracks firewall logs from all over the world and parses these logs to show what services crackers are targeting at any given time. Sending your logs to Dshield makes it more accurate for everyone. You can also use Dshield's site to check whether an attack comming from your machine has ever shown up in its logs.

If it does not violate any of your company's policies, help Dshield out by sending your firewall logs by changing:

ENABLE_DSHIELD_ALERTS N;
to
ENABLE_DSHIELD_ALERTS Y;

in the psad configuration file.

psad is a valuable tool for those wanting to know who is probing their network and what they are looking for. It is lightweight, uses your existing firewall setup, and is customizable to your level of paranoia. Its integration with Dshield helps to make the Internet safer for everyone.

Category:

  • Security
Click Here!