良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

/etc/psad/psad.conf配置详细

所有的psad守护进程都使用/etc/psad/psad.conf配置文件,该文件遵循一个简单的约定:注释行以字符(#)开头,配置参数使用的是键-值格式。例如,psad.conf配置文件中的HOSTNAME变量定义了部署psad的系统主机名:


### Machine hostname
HOSTNAME                    localhost;

Syntax

Configuration Variables in the psad configuration files (/etc/psad/psad.conf, /etc/psad/fw_search.conf, /etc/psad/kmsgsd.conf, and /etc/psad/psadwatchd.conf) follow a simple key/value scheme. For example, the WHOIS_TIMEOUT timeout keyword is defined as follows in /etc/psad/psad.conf:
每个配置变量的值都必须以分号终止来表示值字符串的结束,这样我们就可以在同一行上的分号之后添加注释文档,如下所示:
WHOIS_TIMEOUT                       60;
Note that the value associated with each key is terminated by a semicolon. All lines that begin with a "#" are treated as comments. A comment may also be included on a line that contains a keyword as long as it appears after the ending semicolon and is preceeded by a "#". E.g.:
WHOIS_TIMEOUT                       60;    ### Seconds

Configuration Variables

The following keywords and associated defaults are defined by psad. All keywords are defined in/etc/psad/psad.conf unless otherwise noted. An example is given for each keyword in the text below.


EMAIL_ADDRESSES

EMAIL_ADDRESSES defines the email address to which psad should send scan alerts and status emails. Multiple email addresses are supported as a comma separated list. The default value is "root@localhost", but the psad installer prompts the user to change this at install time.
EMAIL_ADDRESSES变量定义了电子邮件地址,psad将给该邮件地址发送扫描警报、管理类信息和其他通知。可以使用以逗号分隔的列表指定多个电子邮件地址:
EMAIL_ADDRESSES                     you@domain1.com, you@domain2.com;

HOME_NET

HOME_NET specifies the home network. This variable is used to identify traffic that matches snort rules in the iptables FORWARD chain. Traffic that is directed to, or originates from, the firewall itself (i.e. in the INPUT or OUTPUT chains respectively) is treated as traffic to or from the HOME_NET by default and hence even if the HOME_NET variable is not defined, psad will still be able to detect matching scans. A syslog and email warning message will be generated if this variable is not defined. Normally the network(s) specified here should match directly networks on the local machine. Multiple networks are supported as a comma separated list. The network(s) should be specified in CIDR notation. NOTE: The HOME_NET variable is not used if there is only one network interface on the system (i.e. no traffic will be logged via iptables through the FORWARD chain). If there is only one network interface on the box, then just set this variable to "NOT_USED".
因为psad使用修改过的Snort规则检测可疑网络通信(正如将在第7章中讲述的那样),所以psad在psad.conf配置文件中使用的变量类似于Snort所使用的变量。HOME_NET变量定义了部署psad的系统所处的本地网络。但psad对待HOME_NET变量的方式与Snort有一点不同--psad将任何在INPUT链中记录的数据包看作是针对本地网络的,而不管其源地址,因为这类数据包针对的是iptables防火墙本身。也可以通过将ENABLE_INTF_LOCAL_NETS变量设置为N来忽略此行为。本例可以按照如下的方式定义本地网络列表:
HOME_NET                            192.168.10.4/24;

SYSLOG_DAEMON

SYSLOG_DAEMON sets the type of syslog daemon that is used. Psad supports three different syslog daemons: syslogd, syslog-ng, and metalog. One of these maybe specified as an argument to the SYSLOG_DAEMON keyword. The default is "syslogd".
SYSLOG_DAEMON变量告诉psad本地系统上运行的是哪个syslog守护进程。该变量可以设置的值有:syslogd、syslog-ng、ulogd和metalog。它允许psad验证相应的syslog配置文件是否合理设置,以便将kern.info信息写入/var/lib/psad/psadfifo命名管道,但有一个例外:如果将psad配置为通过ulogd获得iptables日志信息,则不需要运行syslog守护进程,因为信息是由ulogd 直接写入磁盘的。在这种情况下,psad甚至不需要启动kmsgsd守护进程。
SYSLOG_DAEMON                       syslogd;

DANGER_LEVEL{n}

DANGER_LEVEL{1,2,3,4,5} sets the number of packets that must be seen in order to reach each danger level. Psad supports five danger levels, with 1 being the least severe and 5 being most severe. Scans are assigned a danger level based upon the thresholds defined by the DANGER_LEVEL{1,2,3,4,5} variables. Scans may also be assigned a danger level if a specific signature is matched (see: /etc/psad/signatures) or if the IP address from which the scan originates is automatically assigned a danger level (see: /etc/psad/auto_dl). The default values for the DANGER_LEVEL variables appear in the Example below:

psad将给所有的恶意行为分配一个危险级别,这使得我们可以对警报规定优先等级。危险级别的范围从1到5(5最严重),它将给psad检测到的每个攻击或扫描的来源IP地址分配一个危险级别。具体分配的危险级别值基于3个因素:扫描的特征(数据包的数目、端口范围和时间间隔)、数据包是否与/etc/psad/signatures文件中定义的签名相关联、数据包是否来自列在/etc/psad/auto_dl文件中的IP地址或网络。

对于端口扫描和相应的数据包计数来说,psad.conf配置文件中的DANGER_LEVEL{n}变量指定了到达每一个危险级别所需的数据包数目:

DANGER_LEVEL1                       5;
DANGER_LEVEL2                       15;
DANGER_LEVEL3                       150;
DANGER_LEVEL4                       1500;
DANGER_LEVEL5                       10000;

PSAD_CHECK_INTERVAL

PSAD_CHECK_INTERVAL sets the number of seconds psad sleeps before checking for new iptables log messages. The default is 5 seconds.
psad的大部分时间都花在睡眠上,它只会定期醒来检查是否有新的iptables日志信息出现在/var/log/psad/fwdata文件中。相继两次检查之间的时间间隔是由CHECK_INTERVAL变量以秒为单位定义的,默认值是5秒。该时间间隔最小可以设置为1秒,但通常并不需要这么做,除非想要尽可能快地生成警报。
PSAD_CHECK_INTERVAL                 5;

SNORT_SID_STR

SNORT_SID_STR instructs psad to for snort "sid" values generated by fwsnort or snort2iptables in iptables logging prefixes. The default is "SID" since fwsnort generates iptables logs that contain strings such as "SID940".
该变量定义了一个子字符串,它用于匹配iptables日志信息以便查找在iptables规则生成的信息中是否含有完全描述Snort规则的信息。这类iptables规则是由fwsnort产生的(见第9章和第10章),它们通常包含SID{n}日志前缀,其中{n}是来自原Snort规则的Snort ID号。SNORT_SID_STR的默认值是SID。
SNORT_SID_STR                       SID;

PORT_RANGE_SCAN_THRESHOLD

PORT_RANGE_SCAN_THRESHOLD defines the minimum range of ports that must be scanned before an email alert will be generated. For example, setting PORT_RANGE_SCAN_THRESHOLD to 1 would require that at least two different ports must be scanned before an alert is sent (i.e. an alert will not be generated if multiple scan packets are sent against the same port). Setting PORT_RANGE_SCAN_THRESHOLD to 0 is the most verbose setting and will cause psad to send alerts for any scan that involves at least the number of packets specified by DANGER_LEVEL1, even if such a scan only involves a single port. The default value for PORT_RANGE_SCAN_THRESHOLD is 1.
该变量允许定义端口扫描最小范围,端口扫描必须在该范围,psad才会给它分配危险级别。默认情况下PORT_RANGE_SCAN_THRESHOLD设置为1,这意味着在端口扫描到达危险级别1之前至少必须扫描了两个不同的端口。换句话说,IP地址可以反复地扫描单个端口而不会触发psad发送警报。(psad不会针对还没有达到危险级别1的行为发送警报,触发psad发送警报的危险级别还可以从1到5进行调整,见下面的"EMAIL_ALERT_DANGER_LEVEL"。)如果根本不想让psad将被扫描端口范围作为考虑因素,可以将PORT_RANGE_SCAN_THRESHOLD设置为0。
PORT_RANGE_SCAN_THRESHOLD           1;

ENABLE_PERSISTENCE

ENABLE_PERSISTENCE controls whether or not psad will allow scans to timeout. The default value is "Y", which means that scans will never timeout. This is useful for catching scans that take place over long periods of time where the attacker is trying to slip beneath the IDS detection thresholds.
端口扫描检测软件一般必须设置两个阈值来捕获一次端口扫描:探测的端口数和时间间隔。攻击者可以通过减少扫描端口的数目或减缓扫描频率,尝试不超过这些阈值的限定。ENABLE_PERSISTENCE变量告诉psad不要使用SCAN_TIMEOUT变量作为扫描检测中的考虑因素。这有助于挫败扫描者通过数天或数周慢慢扫描目标系统来保持不超过超时阈值的企图。一旦扫描达到了DANGER_LEVEL1变量定义的数据包数目(不论是花了多长的时间扫描发送这么多的数据包),psad就发送警报。
ENABLE_PERSISTENCE                  Y;

SCAN_TIMEOUT

Defines the number of seconds psad will use to timeout scans (or other suspect traffic) associated with individual IP addresses. The default value is 3600 seconds (one hour). Note the SCAN_TIMEOUT is only used if ENABLE_PERSISTENCE is set to "N".
在默认情况下,SCAN_TIMEOUT变量设置为3 600秒(1小时),psad使用该值作为跟踪一次扫描的时间长度。也就是说,如果来自某个特定IP地址的恶意通信在这个时间跨度内没有达到危险级别1,psad将不会生成警报。可以通过将ENABLE_PERSISTENCE设置为Y(见下面的讨论)来有效地忽略SCAN_TIMEOUT变量。
SCAN_TIMEOUT                        3600;

SHOW_ALL_SIGNATURES

If set to "Y" instructs psad to either include all scan signatures associated with an IP address in every new email alert for the IP. Note that this may result in long email alerts if an IP is persistantly hitting your site with suspicious traffic over a long period of time. SHOW_ALL_SIGNATURES is set to "N" by default and hence psad will only display alert information associate with new signatures.
该变量控制psad在每个警报中是否包含与某个IP地址相关的所有签名警报信息(读者将在第7章中看到包括在psad警报中的签名信息示例)。该变量在默认情况下被禁用了,因为如果一个特定的IP地址在很长一段时间内一直与你的站点进行可疑的通信,它将导致psad产生冗长的电子邮件警报。但即便SHOW_ALL_SIGNATURES被禁用了,psad的电子邮件警报也将在最新的CHECK_INTERVAL中包括所有新触发的签名。
SHOW_ALL_SIGNATURES                 N;

IGNORE_CONNTRACK_BUG_PKTS

Instructs psad to ignore TCP packets that have the ACK bit set. The reason for this stems from the fact that the TCP connection tracking code in the Linux kernel sets an inappropriately short timeout for acknowledgement packets associated with TCP sessions that have entered the CLOSE WAIT state. Note that TCP packets that trip application level inspection signatures as detected by fwsnort will still be alerted upon by psad since fwsnort generates iptables logging prefixes such as "SID940" which are parsed first by psad. The default value for IGNORE_CONNTRACK_BUG_PKTS is "Y".
IGNORE_CONNTRACK_BUG_PKTS            Y;

IGNORE_PORTS

Defines a set TCP and/or UDP ports that psad should ignore even if suspicious traffic is logged over these ports. Both port ranges and individual TCP and UDP ports can be specified. This keyword adds a degree of configurability to psad in an effort to compensate for an iptables policy that may not be ideally configured (i.e. generating logs for traffic it shouldn't), or for applications such as port knocking schemes (see: fwknop) that generate traffic that is essentially indestinguishable from port scans. The default value for IGNORE_PORTS is "NONE".
入侵检测系统的一个重要功能是可以筛除掉管理员希望IDS完全忽略的数据类型。IGNORE_PORTS变量告诉psad根据数据包的目标端口和相关协议(TCP或UDP)来忽略iptables日志信息。端口范围、多端口和协议组合的指定方法如下所示:
IGNORE_PORTS                        tcp/61000-61356, udp/53, udp/5000;
与使用IGNORE_PORTS变量不同,也可以通过调整iptables策略使得希望忽略的数据包在匹配LOG规则之前就匹配了某个规则。

EMAIL_ALERT_DANGER_LEVEL

Defines the minimum danger level a scan must reach before an email alert will be generated by psad. The default value for EMAIL_ALERT_DANGER_LEVEL is "1".
该变量允许设置危险级别的最小值,只有当某个IP地址被分配的危险级别大于等于该值时,psad才会发送电子邮件警报。其默认值是1。
EMAIL_ALERT_DANGER_LEVEL            1;

PSAD_EMAIL_LIMIT

Defines the maximum number of emails that will be sent for an individual IP address. The default is "0" which instructs psad to not set any limit for the number of email alerts that it will send for a particular IP address. Normally if an IP is causing psad to generate hundreds of alert emails there is a misconfiguration in either the iptables policy or in the manner in which the network is being utilized by the IP. Note that enabling this feature by setting PSAD_EMAIL_LIMIT to some value greater than "0" may cause alerts for real attacks to not be generated if an attack is sent after the email threshold has been reached for an IP address.
在某些情况下,iptables策略会配置为记录那些并非恶意的通信,这类通信可能会在网络中反复地发生(例如,对特定DNS服务器的DNS请求)。如果psad将这类通信解释为一次扫描,那么psad可能就会针对这类通信发送很多电子邮件警报。可以通过使用EMAIL_LIMIT变量为任何扫描IP地址设置psad发送电子邮件警报数目的上限。它的默认值是0,这意味着没有做任何限制,但如果将它设置为50,那么psad针对某个特定IP地址所发送的电子邮件警报数目将不会超过50封。
PSAD_EMAIL_LIMIT                    100;

EMAIL_LIMIT_STATUS_MSG

If set to "Y" will instruct psad to send a status email message whenever an IP address has reached the PSAD_EMAIL_LIMIT threshold. The default is "Y".
EMAIL_LIMIT_STATUS_MSG              Y;
FW_MSG_SEARCH

FW_MSG_SEARCH变量定义了psad搜索iptables日志信息的方式。为了限制psad只分析包含特定日志前缀的日志信息(在iptables LOG规则中使用--log-prefix参数定义日志前缀),可以使用该变量来定义前缀。这允许iptables为数据包分配其他的日志前缀,从而避免psad分析它。

例如,如果想让psad只分析包含字符串DROP的iptables日志信息,可以如下配置FW_MSG_SEARCH变量:



  
ALERTING_METHODS

大多数管理者同时使用由psad提供的电子邮件和syslog记录模式,而ALERTING_METHODS变量可以控制psad是生成电子邮件警报还是生成syslog警报。该变量接受3个值:noemail、nosyslog和ALL。noemail和nosyslog值告诉psad不要发送电子邮件警报或syslog警报。这些值可以经过组合来禁用所有的警报。在默认情况下会同时生成电子邮件警报和syslog警报:



  

ALERT_ALL

If set to "Y" instructs psad to send email alerts for any new suspect traffic from a particular IP address instead of just when the IP reaches a new danger level. The default for ALERT_ALL is "Y"
当该变量设置为Y时,只要psad发现来自某个IP地址新的恶意行为并且达到了危险级别1,psad就将生成电子邮件和/或syslog警报。如果它设置为N,那么只有当与该IP地址相关的危险级别提升时,psad才会生成警报。
ALERT_ALL                           Y;

IMPORT_OLD_SCANS

If set to "Y" instructs psad to import any old scan data in /var/log/psad from a previously running psad process. This allows scan data to persist across restarts of psad or even a system reboot. The default value for IMPORT_OLD_SCANS is "N".
psad收集的与端口扫描以及其他可疑行为相关的信息都被写入/var/log/psad目录。每一个达到危险级别1的IP地址都对应/var/log/psad目录中一个同名的子目录。在该子目录中存储着各种文件,包括最新的电子邮件警报、whois输出、匹配的签名、危险级别和数据包计数。psad在启动时通常将删除任何现有的/var/log/psad目录中的ip子目录,但可以通过将IMPORT_OLD_SCANS设置为Y从旧目录中导入所有数据。该功能允许重启psad或重启整个系统,而不会丢失来自上一个psad实例的所有扫描数据。
IMPORT_OLD_SCANS                    Y;

ENABLE_DSHIELD_ALERTS

If set to "Y" will allow psad to send scan data to the DShield distributed IDS. Security data is usually considered sensitive by system administrators so ENABLE_DSHIELD_ALERTS is set to "N" by default, but DShield genuienly provides a useful service to people who are concerned about network security and so enabling this feature is helpful to the community. See dshield.org for more information.
将该变量设置为Y使得psad发送扫描数据给DShield分布式入侵检测系统。由于扫描信息可能比较敏感,应该注意在将扫描数据发送到DShield后,它将不会在你的控制范围内,并被放到一个相对开放的数据库中。但DShield可以让人们获得对攻击更深入的理解,例如最常见的受攻击服务是什么,目前攻击系统最多的IP地址是哪个(这个IP地址将成为相当严格的防火墙规则最佳候选地址),所以我强力推荐在psad中启用该功能,除非有严格的要求(例如来自于网站的安全策略)明确不能将扫描信息发送给DShield。启用该功能的系统越多,因特网就会变得越安全。
ENABLE_DSHIELD_ALERTS               Y;

DSHIELD_ALERT_EMAIL

Defines the email address to which DShield alerts will be sent if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword). The default value is "reports@dshield.org" and should only be changed if the DShield reporting address changes.
DSHIELD_ALERT_EMAIL                 reports@dshield.org;

DSHIELD_ALERT_INTERVAL

Defines the number of hours between successive DShield email alerts that are generated by psad. The default value is 6 hours, but should not be set to anything less than 1 hour or greater than 24 hours. This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_ALERT_INTERVAL              6;

DSHIELD_USER_ID

Is used to define a DShield user id (requires free registration at dshield.org). The default is "0" which allows psad to send scan information to the DShield distributed IDS anonymously (that is in the sense that the scan data will not be associated with any particular DShield user id). This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_ID                     6;

DSHIELD_USER_EMAIL

Defines the source email address that will be used to send scan data to the DShield distributed IDS. The default is "NONE" which allows psad to send scan information to DShield from the same source email address that is used by psad to send normal scan alerts. This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_USER_EMAIL                  you@somedomain.com;

DSHIELD_DL_THRESHOLD

Defines a threshold danger level before scan data will be included in email alerts to DShield. The default is "0" since this will allow DShield to apply its own logic to determine what constitutes a scan (i.e. _all_ iptables log messages will be included in DShield email alerts with DSHIELD_DL_THRESHOLD set to "0"). This keyword is only referenced if DShield alerting is enabled (see the ENABLE_DSHIELD_ALERTS keyword).
DSHIELD_DL_THRESHOLD                2;

ENABLE_AUTO_IDS

If set to "Y" instructs psad to automatically block IP addresses from which scans or other suspect traffic originate. The default is "N" since enabling this feature may cause network connectivity problems if the underlying iptables policy is not tuned correctly (for example if it is logging legitmate DNS response traffic), or if an attacker discovers that the auto-blocking feature is enabled and then proceeds to spoof scans from your favorite websites or your upstream router. Psad supports "whitelisting" IP addresses via the file /etc/psad/auto_dl so that psad will never add block rules for IP addresses listed in this file that have an auto-danger level set to "0". Incidently the /etc/psad/auto_dl file can also be used to automatically elevate the danger level associated with a scan that originates from a specific IP address and/or IP contained within a matching network.
如果该变量设置为Y,它将把psad从被动监控的守护进程转换为积极回应攻击的程序,即psad将通过动态重新配置本地iptables策略阻止肇事IP地址与本地系统(通过INPUT和OUTPUT链)以及由本地系统保护的所有其他系统交互(通过FORWARD链)。第8章将讨论该功能的含义,介绍如何有效地使用它。还将在第8章中讨论一些和自动回应相关的变量。
ENABLE_AUTO_IDS                     Y;

AUTO_IDS_DANGER_LEVEL

Sets a threshold on the minimum danger level a scan must reach before psad will automatically block the offending IP address (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default is "5" which is the highest danger level assigned by psad to any scan.
AUTO_IDS_DANGER_LEVEL               5;

AUTO_BLOCK_TIMEOUT

Defines the length of time that an auto-generated block rule will remain in effect (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default is "3600" seconds (one hour).
AUTO_BLOCK_TIMEOUT                  3600;

IPTABLES_BLOCK_METHOD

Instructs psad to block IP addresses with iptables (if ENABLE_AUTO_IDS is set to "Y"). Blocking via iptables is more effective and more secure than blocking via tcpwrappers since packets are intercepted in the kernel before having an opportunity to talk to any user-land daemon, and hence this is the preferred method of constructing auto-blocking rules. The default value for IPTABLES_BLOCK_METHOD is "Y".
IPTABLES_BLOCK_METHOD               Y;

IPTABLES_AUTO_RULENUM

Defines the specific rule number that psad will use to add auto-generated iptables blocking rules in the INPUT, OUTPUT, and FORWARD chains (ENABLE_AUTO_IDS must be set to "Y" for this keyword to be used). The default value is "1".
IPTABLES_AUTO_RULENUM               1;

TCPWRAPPERS_BLOCK_METHOD

Instructs psad to block IP addresses with tcpwrappers (if ENABLE_AUTO_IDS is set to "Y"). Blocking via tcpwrappers is less effective than using iptables directly (see the IPTABLES_BLOCK_METHOD keyword above), so the default value for TCPWRAPPERS_BLOCK_METHOD is "N".
TCPWRAPPERS_BLOCK_METHOD            N;

WHOIS_TIMEOUT

Defines the timeout that psad will use when issuing whois lookups against scanning IP addresses. The default is 60 seconds. Note that whois lookups can be disabled altogether via the --no-whois command line argument.
WHOIS_TIMEOUT                       60;

WHOIS_LOOKUP_THRESHOLD

Defines the number of times a scanning IP address can be seen before an additional whois lookup will be issued. The motivation for this keyword comes from the fact that IP to whois information mappings will not change very often. The default value for WHOIS_LOOKUP_THRESHOLD is 20. Note that whois lookups can be disabled altogether via the --no-whois command line argument.
WHOIS_LOOKUP_THRESHOLD              20;

DNS_LOOKUP_THRESHOLD

Defines the number of times a scanning IP address can be seen before an additional reverse DNS lookup will be issued. The motivation for this keyword comes from the fact that IP to host DNS mappings will not change very often. The default value for DNS_LOOKUP_THRESHOLD is 20. Note that reverse DNS lookups can be disabled altogether via the --no-rdns command line argument.
DNS_LOOKUP_THRESHOLD                20;

ENABLE_EXT_SCRIPT_EXEC

Intructs psad to execute an external script when a scan is detected. This feature is disabled by default; use at your own risk!
ENABLE_EXT_SCRIPT_EXEC              N;

EXTERNAL_SCRIPT

Provides a path to an external script or program that psad should execute upon detecting a scan from an IP address. Note that the scan source IP can be specified on the command line to the external program through the use of the "SRCIP" string (along with some appropriate switch for the program). Of course this is only useful if the external program knows what to do with this information. This keyword is only used if ENABLE_EXT_SCRIPT_EXEC is set to "Y", and the default value is "/bin/true".
EXTERNAL_SCRIPT                     /path/to/script --ip SRCIP -v;

IGNORE_LOG_PREFIXES

iptables策略可以相当复杂,包括许多不同的日志记录规则--每个规则都有自己的日志记录前缀。如果想要让psad忽略某个日志记录前缀(例如,DROP:INPUT:eth1),可以像下面这样设置IGNORE_LOG_PREFIXES:


 

IGNORE_PROTOCOLS

IGNORE_PROTOCOLS变量告诉psad忽略整个协议。通常更好的方法是调整iptables策略,不再记录那些你想要忽略的协议,但如果想要让psad忽略所有的ICMP数据包,可以像下面这样设置IGNORE_PROTOCOLS:

MIN_DANGER_LEVEL

MIN_DANGER_LEVEL阈值是针对psad所执行的所有警报和跟踪功能的全局阈值。如果该变量设置为2,那么除非某个IP地址达到了危险级别2,否则psad甚至不会将该IP地址写入/var/log/psad/ip目录。因此,MIN_DANGER_LEVEL变量的值应该始终小于等于上面提到的EMAIL_ALERT_DANGER_LEVEL变量的值。MIN_DANGER_LEVEL的默认值是1。

EXEC_EXT_SCRIPT_PER_ALERT

If set to "Y" psad to external an external script or program every time an email alert is generated for a particular IP address (see the EXTERNAL_SCRIPT keyword above). This keyword is only used if ENABLE_EXT_SCRIPT_EXEC is set to "Y", and the default value is "N" (which would have psad run the external script only once for each scanning IP address).
EXEC_EXT_SCRIPT_PER_ALERT           N;


标签: psadconf配置

作者:良玉 分类:psad 浏览:989 评论:0
留言列表
发表评论
来宾的头像