ok, con este comando entro al archivo '"sudo gedit /etc/psad/psad.conf" y esto es lo q' dice el archivo, donde q' me manda a editarlo pero la pregunta es, q' edito?
#
##############################################################################
#
# This is the configuration file for psad (the Port Scan Attack Detector).
# Normally this file gets installed at /etc/psad/psad.conf, but can be put
# anywhere in the filesystem and then the path can be specified on the
# command line argument "-c <file>" to psad. Note that there are also
# config files "psadwatchd.conf" and "kmsgsd.conf" for psadwatchd and kmsgsd
# respectively. There is also one additional config file "fw_search.conf"
# that is read by both psad and kmsgsd and defines the strategy psad uses to
# search through iptables log messages. The syntax of psad.conf (as well
# as each of the other config files) is as follows:
#
# Each line has the form "<variable name> <value>;". Note the semi-
# colon after the <value>. All characters after the semicolon will be
# ignored to provide space for comments.
#
##############################################################################
#
# $Id: psad.conf,v 1.115 2005/10/24 02:52:56 mbr Exp $
#
### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES root @localhost;
### Machine hostname
HOSTNAME _CHANGEME_;
### Specify the home network. This variable is used to identify
### traffic that matches snort rules in the iptables FORWARD chain.
### Traffic that is directed to, or originates from, the firewall
### itself (i.e. in the INPUT or OUTPUT chains respectively) is
### treated as traffic to or from the HOME_NET by default and hence
### even if the HOME_NET variable is not defined, psad will still
### be able to detect matching scans. A syslog and email warning
### message will be generated if this variable is not defined.
### Normally the network(s) specified here should match a directly
### network(s) on the local machine. Multiple networks are supported
### as a comma separated list. The network(s) should be specified
### in CIDR notation. The following two lines provide example
### definitions for the HOME_NET variable. NOTE: The HOME_NET
### variable is not used if there is only one network interface on
### the system (i.e. no traffic will be logged via iptables through
### the FORWARD chain). If there is only one network interface on
### the box, then just set this variable to "NOT_USED".
### HOME_NET 192.168.10.4/24;
### HOME_NET 10.1.1.0/24, 192.168.10.4/24;
### HOME_NET NOT_USED; ### only one interface on box
HOME_NET _CHANGEME_;
### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable
### is now located in the file /etc/psad/fw_search.conf. Edit this
### file to configure search strings for psad. The change was made so
### that a single file could be referenced by both psad and kmsgsd for
### search strings in iptables messages.
### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
### variable accepts four possible values: syslogd, syslog-ng, ulogd,
### or ### metalog.
SYSLOG_DAEMON syslogd;
### Danger levels. These represent the total number of
### packets required for a scan to reach each danger level.
### A scan may also reach a danger level if the scan trips
### a signature or if the scanning ip is listed in
### auto_ips so a danger level is automatically
### assigned.
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
### Set the interval (in seconds) psad will use to sleep before
### checking for new iptables log messages
CHECK_INTERVAL 5;
### Search for snort "sid" values generated by fwsnort
### or snort2iptables
SNORT_SID_STR SID;
### Set the minimum range of ports that must be scanned before
### psad will send an alert. The default is 1 so that at
### least two port must be scanned (p2-p1 >= 1). This can be set
### to 0 if you want psad to be extra paranoid, or 30000 if not.
PORT_RANGE_SCAN_THRESHOLD 1;
### If "Y", means that scans will never timeout. This is useful
### for catching scans that take place over long periods of time
### where the attacker is trying to slip beneath the IDS thresholds.
ENABLE_PERSISTENCE Y;
### This is used only if ENABLE_PERSISTENCE = "N";
SCAN_TIMEOUT 3600; ### seconds
### If "Y", means all signatures will be shown since
### the scan started instead of just the current ones.
SHOW_ALL_SIGNATURES N;
### TTL values are decremented depending on the number of hops
### the packet has taken before it hits the firewall. We will
### assume packets will not jump through more than 20 hops on
### average.
MAX_HOPS 20;
### XXX: try to mitigate the affects of the iptables connection
### tracking bug by ignoring tcp packets that have the ack bit set.
### Read the "BUGS" section of the psad man page. Note that
### if a packet matches a snort SID generated by fwsnort (see
###
Para ver los enlaces debes ser usuario
Crear Usuario o
Hacer Sesion)
### then psad will see it even if the ack bit is set. See the
### SNORT_SID_STR variable.
IGNORE_CONNTRACK_BUG_PKTS Y;
### define a set of ports to ignore (this is useful particularly
### for port knocking applications since the knock sequence will
### look to psad like a scan). This variable may be defined as
### a comma-separated list of port numbers or port ranges and
### corresponding protocol, For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
IGNORE_PORTS NONE;
### allow entire protocols to be ignored. This keyword can accept
### a comma separated list of protocols. Each protocol must match
### the protocol that is specified in a Netfilter log message (case
### insensitively, so both "TCP" or "tcp" is ok).
### IGNORE_PROTOCOL tcp,udp;
IGNORE_PROTOCOLS NONE;
### allow packets to be ignored based on interface (this is the
### "IN" interface in Nefilter logging messages).
IGNORE_INTERFACES NONE;
### Send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL 1;
### Include MAC addresses in email alert
ENABLE_MAC_ADDR_REPORTING N;
### Send no more than this number of emails for a single
### scanning source IP. Note that enabling this feature may cause
### alerts for real attacks to not be generated if an attack is sent
### after the email threshold has been reached for an IP address.
### This is why the default is set to "0".
EMAIL_LIMIT 0;
### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG Y;
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL Y;
### If "Y", then psad will import old scan source ip directories
### as current scans instead of moving the directories into the
### archive directory.
IMPORT_OLD_SCANS N;
### Send scan logs to dshield.org. This is disabled by default,
### but is a good idea to enable it (subject to your site security
### policy) since the DShield service helps to track the bad guys.
### For more information visit
Para ver los enlaces debes ser usuario
Crear Usuario o
Hacer SesionENABLE_DSHIELD_ALERTS N;
### dshield.org alert email address; this should not be changed
### unless the guys at DShield have changed it.
DSHIELD_ALERT_EMAIL reports @dshield.org;
### Time interval (hours) to send email alerts to dshield.org.
### The default is 6 hours, and cannot be less than 1 hour or
### more than 24 hours.
DSHIELD_ALERT_INTERVAL 6; ### hours
### If you have a DShield user id you can set it here. The
### default is "0".
DSHIELD_USER_ID 0;
### If you want the outbound DShield email to appear as though it
### is coming from a particular user address then set it here.
DSHIELD_USER_EMAIL NONE;
### Threshold danger level for DShield data; a scan must reach this
### danger level before associated packets will be included in an
### alert to DShield. Note that zero is the default since this
### will allow DShield to apply its own logic to determine what
### constitutes a scan (_all_ iptables log messages will be included
### in DShield email alerts).
DSHIELD_DL_THRESHOLD 0;
### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS N;
### Block all traffic from offending IP if danger
### level >= to this value
AUTO_IDS_DANGER_LEVEL 5;
### Set the auto-blocked timeout in seconds (the default
### is one hour).
AUTO_BLOCK_TIMEOUT 3600;
### Enable iptables blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
IPTABLES_BLOCK_METHOD Y;
### Specify the position or rule number within the iptables
### policy where auto block rules get added.
IPTABLES_AUTO_RULENUM 1;
### Specify chain names to which iptables blocking rules will be
### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
### to add an additional IPT_AUTO_CHAIN requirement. The format for this
### variable is: <Target>,<Direction>,<Table>,<From_chain>,<To_chain>.
### "Target": can be any legitimate Netfilter target, but should usually
### "DROP".
### "Direction": can be "src", "dst", or "both", which correspond to
### INPUT, OUTPUT, and FORWARD chains.
### "Table": can be any Netfilter table, but the default is "filter".
### "From_chain": is the chain from which packets will be jumped.
### "To_chain": is the chain to which packet will be jumped.
###
### The following defaults make sense for most installations, but note
### it is possible to include blocking rules in, say, the nat table
### using this functionality as well.
#IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, PSAD_BLOCK_INPUT;
#IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, PSAD_BLOCK_OUTPUT;
#IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, PSAD_BLOCK_FORWARD;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, PSAD_BLOCK_INPUT;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, PSAD_BLOCK_OUTPUT;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, PSAD_BLOCK_FORWARD;
### Flush all existing rules in the psad chains at psad start time.
FLUSH_IPT_AT_INIT Y;
### Enable tcp wrappers blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
TCPWRAPPERS_BLOCK_METHOD N;
### Set the whois timeout
WHOIS_TIMEOUT 60; ### seconds
### Set the number of times an ip can be seen before another whois
### lookup is issued.
WHOIS_LOOKUP_THRESHOLD 20;
### Set the number of times an ip can be seen before another dns
### lookup is issued.
DNS_LOOKUP_THRESHOLD 20;
### Enable psad to run an external script or program (use at your
### own risk!)
ENABLE_EXT_SCRIPT_EXEC N;
### Define an external program to run after a scan is caught.
### Note that the scan source ip can be specified on the command
### line to the external program through the use of the "SRCIP"
### string (along with some appropriate switch for the program).
### Of course this is only useful if the external program knows
### what to do with this information.
### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v;
EXTERNAL_SCRIPT /bin/true;
### Control execution of EXTERNAL_SCRIPT (only once per IP, or
### every time a scan is detected for an ip).
EXEC_EXT_SCRIPT_PER_ALERT N;
### Disk usage variables
DISK_CHECK_INTERVAL 300; ### seconds
### This can be set to 0 to disable disk checking altogether
DISK_MAX_PERCENTAGE 95;
### This can be set to 0 to have psad not place any limit on the
### number of times it will attempt to remove data from
### /var/log/psad/.
DISK_MAX_RM_RETRIES 10;
### Enable archiving of old scan directories at psad startup.
ENABLE_SCAN_ARCHIVE N;
### Truncate fwdata file at startup
TRUNCATE_FWDATA Y;
### Only archive scanning ip directories that have reached a danger
### level greater than or equal to this value. Archiving old
### scanning ip directories only takes place at psad startup.
MIN_ARCHIVE_DANGER_LEVEL 1;
### Email subject line config. Change these prefixes if you want
### psad to generate email alerts that say something other than
### the following.
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
### Directories
PSAD_DIR /var/log/psad;
SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive;
ERROR_DIR /var/log/psad/errs;
ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis;
SNORT_RULES_DIR /etc/psad/snort_rules;
### Files
FW_DATA_FILE /var/log/psad/fwdata;
ULOG_DATA_FILE /var/log/psad/ulogd.log;
FW_CHECK_FILE /var/log/psad/fw_check;
PID_FILE /var/run/psad/psad.pid;
CMDLINE_FILE /var/run/psad/psad.cmd;
SIGS_FILE /etc/psad/signatures;
ICMP_TYPES_FILE /etc/psad/icmp_types;
AUTO_DL_FILE /etc/psad/auto_dl;
POSF_FILE /etc/psad/posf;
P0F_FILE /etc/psad/pf.os;
PSAD_FIFO /var/lib/psad/psadfifo;
ETC_HOSTS_DENY /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
### PID files
KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid;
PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid;
### List of ips that have been auto blocked by iptables
### or tcpwrappers (the auto blocking feature is disabled by
### default, see the psad man page and the ENABLE_AUTO_IDS
### variable).
AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr;
### File used internally by psad to add Netfilter blocking
### rules to a running psad process
AUTO_IPT_SOCK /var/run/psad/auto_ipt.sock;
FW_ERROR_LOG /var/log/psad/errs/fwerrorlog;
PRINT_SCAN_HASH /var/log/psad/scan_hash;
### /proc interface for controlling ip forwarding
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
### Packet counters for tcp, udp, and icmp protocols
PACKET_COUNTER_FILE /var/log/psad/packet_ctr;
### Counter file for Dshield alerts
DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr;
### Counter file for iptables prefixes
IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr;
### system binaries
shCmd /bin/sh;
iptablesCmd /sbin/iptables;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /usr/bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
syslogdCmd /sbin/syslogd;
syslog-ngCmd /sbin/syslog-ng; ### only used if SYSLOG_DAEMON = syslog-ng
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
# we do not need to compile the whois client
# stripped the extention ../whois_psad
whoisCmd /usr/bin/whois;
dfCmd /bin/df;
fwcheck_psadCmd /usr/sbin/fwcheck_psad;
psadwatchdCmd /usr/sbin/psadwatchd;
kmsgsdCmd /usr/sbin/kmsgsd;
psadCmd /usr/sbin/psad;
Autor