Chapter 6: psad Operations: Detecting Suspicious Traffic
There are many features offered by psad, and these features are designed to maximize your use of iptables log messages. From port scans to probes for backdoors, psad detects and reports suspicious activity with verbose email and syslog alerts.Here is an example psad alert:
=-=-=-=-=-=-=-=-=-=-=-= Sat Sep 22 01:10:13 2007 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [4] (out of 5)
Scanned TCP ports: [10-65301: 1522 packets]
TCP flags: [SYN: 1522 packets, Nmap: -sT or -sS]
iptables chain: INPUT (prefix "DROP"), 499 packets
Source: 192.168.10.200
DNS: int_scanner
OS guess: Linux:2.5::Linux 2.5 (sometimes 2.4)
Destination: 192.168.10.1
DNS: iptablefw
Overall scan start: Thu Sep 13 21:22:26 2007
Total email alerts: 7
Complete TCP range: [1-65301]
Syslog hostname: iptablesfw
Global stats: chain: interface: TCP: UDP: ICMP:
INPUT eth1 3229 0 2
[+] TCP scan signatures:
"BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt"
dst port: 666 (no server bound to local port)
flags: SYN
psad_id: 100041 (derived from: 118 157 158)
chain: INPUT
packets: 2
classtype: misc-activity
reference: (arachnids) http://www.whitehats.com/info/IDS316
"POLICY vncviewer Java applet communication attempt"
dst port: 5801 (no server bound to local port)
flags: SYN
sid: 1846
chain: INPUT
packets: 1
classtype: misc-activity
reference: (nessus) http://cgi.nessus.org/plugins/dump.php3?id=10758
"P2P Napster Client Data communication attempt"
dst port: 6699 (no server bound to local port)
flags: SYN
sid: 561
chain: INPUT
packets: 2
classtype: policy-violation
"SNMP AgentX/tcp request"
dst port: 705 (no server bound to local port)
flags: SYN
sid: 1421
chain: INPUT
packets: 2
classtype: attempted-recon
reference: (bugtraq) http://www.securityfocus.com/bid/4088
reference: (bugtraq) http://www.securityfocus.com/bid/4089
reference: (bugtraq) http://www.securityfocus.com/bid/4132
reference: (cve) http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012
reference: (cve) http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013
[+] Whois Information:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2007-09-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
=-=-=-=-=-=-=-=-=-=-=-= Sat Sep 22 01:10:13 2007 =-=-=-=-=-=-=-=-=-=-=-=
