cipherdyne.org

20 January, 2008

Erik Heidt who runs the Art of Information Security Blog has started a dedicated blog about psad. He discusses monitoring of psad via a custom shell script, as well as some of the attack information that psad reports on. This information is derived from Snort rules/signatures that are matched by psad within iptables LOG messages. Such signature matching is possible (for signatures that do not contain content matches) because of the completeness of the iptables logging format, which includes most of the interesting fields in the network and transport layer headers. Here is an example of the type of reporting that Erik has included in one of his blog posts:
"ICMP PING" (icmp), Count: 223, Unique sources: 89, Sid: 384
"MISC Windows popup spam attempt" (udp), Count: 154, Unique sources: 38, Sid: 100196
"MISC Microsoft SQL Server communication attempt" (tcp), Count: 37, Unique sources: 16, Sid: 100205
"MISC VNC communication attempt" (tcp), Count: 14, Unique sources: 6, Sid: 100202
"PSAD-CUSTOM Nachi worm reconnaisannce" (icmp), Count: 10, Unique sources: 5, Sid: 100209
"MISC Ghostsurf communication attempt" (tcp), Count: 6, Unique sources: 1, Sid: 100203
"MISC HP Web JetAdmin communication attempt" (tcp), Count: 6, Unique sources: 2, Sid: 100084
"BACKDOOR DoomJuice file upload attempt" (tcp), Count: 4, Unique sources: 1, Sid: 2375
"MISC Radmin Default install options attempt" (tcp), Count: 2, Unique sources: 1, Sid: 100204 There was also more publicity for psad and fwsnort at linux.com where John Bambenek referenced both projects in an article entitled "iptables as a replacement for commercial enterprise firewalls". I completely agree that in many cases iptables can function as a complete replacement for commercial firewall products. While not appropriate perhaps for all deployments depending on various corporate factors (such as the level of expertise of the local IT staff and the need for support), I think these barriers are waning in importance considering the quality of iptables, modern Linux distributions, and user interfaces (mentioned by John in his article) such as Firewall Builder.