良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

psad使用及分析数据

用LOIC攻击了下自己
然后fwdata里有了数据
[root@localhost psad]# ll
total 1788
-rw------- 1 root root     579 Jul 31 16:27 analysis.out
-rw------- 1 root root       0 Jul 31 16:27 dshield_ctr
drwx------ 2 root root    4096 Jul 30 11:45 errs
-rw------- 1 root root     262 Jul 31 16:27 fw_check
-rw------- 1 root root 1769081 Jul 31 16:38 fwdata
那么psad要怎么分析呢?很简单
[root@localhost psad]# psad -A fwdata
[+] Removing old /var/log/psad/ipt_analysis directory.
[+] Entering analysis mode.  Parsing /var/log/messages
[+] Found 27318 iptables log messages out of 55480 total lines.
    This may take a while...
[+] Processed 2001 packets...
[+] Processed 4002 packets...
[+] Processed 6003 packets...
[+] Processed 8004 packets...
[+] Processed 10005 packets...
[+] Processed 12006 packets...
[+] Processed 14007 packets...
[+] Processed 16008 packets...
[+] Processed 18009 packets...
[+] Processed 20010 packets...
[+] Processed 22011 packets...
[+] Processed 24012 packets...
[+] Processed 26013 packets...
[+] Assigning scan danger levels...
    Level 1: 4 IP addresses
    Level 2: 4 IP addresses
    Level 3: 3 IP addresses
    Level 4: 0 IP addresses
    Level 5: 0 IP addresses

    Tracking 11 total IP addresses
[+] Version: psad v2.2.3

[+] Top 50 signature matches:
        [NONE]

[+] Top 25 attackers:
      192.168.10.109  DL: 3, Packets: 962, Sig count: 0
      192.168.10.23   DL: 3, Packets: 179, Sig count: 0
      192.168.10.94   DL: 3, Packets: 172, Sig count: 0
      192.168.10.21   DL: 2, Packets: 67, Sig count: 0
      192.168.10.251  DL: 2, Packets: 47, Sig count: 0
      192.168.10.6    DL: 2, Packets: 16, Sig count: 0
      192.168.10.98   DL: 2, Packets: 46, Sig count: 0
      192.168.10.104  DL: 1, Packets: 10, Sig count: 0
      192.168.10.176  DL: 1, Packets: 6, Sig count: 0
      192.168.10.5    DL: 1, Packets: 77, Sig count: 0
      192.168.10.82   DL: 1, Packets: 10, Sig count: 0

[+] Top 20 scanned ports:
      tcp 80    22005 packets

      udp 137   1866 packets
      udp 80    1713 packets
      udp 7423  270 packets
      udp 748   240 packets
      udp 138   97 packets
      udp 67    69 packets
      udp 161   49 packets
      udp 68    1 packets

[+] iptables log prefix counters:
      "iptables icmp warn": 27318

    Total protocol packet counters:
         tcp: 22005 pkts
         udp: 4305 pkts

[+] IP Status Detail:

SRC:  192.168.10.109, DL: 3, Dsts: 1, Pkts: 962, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 962, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.23, DL: 3, Dsts: 2, Pkts: 179, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 67, Pkts: 13, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 166, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.94, DL: 3, Dsts: 2, Pkts: 172, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 67, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 162, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.21, DL: 2, Dsts: 1, Pkts: 67, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 67, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.251, DL: 2, Dsts: 1, Pkts: 47, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 47, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.6, DL: 2, Dsts: 1, Pkts: 16, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 16, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.98, DL: 2, Dsts: 1, Pkts: 46, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 46, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.104, DL: 1, Dsts: 1, Pkts: 10, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.176, DL: 1, Dsts: 1, Pkts: 6, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 6, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.5, DL: 1, Dsts: 2, Pkts: 77, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 748, Pkts: 72, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 5, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.82, DL: 1, Dsts: 1, Pkts: 10, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

    Total scan sources: 11
    Total scan destinations: 2

[+] These results are available in: /var/log/psad/analysis.out

[+] Finished --Analyze cycle.
这样就可以进行分析并记录到analysis.out文件里
[root@localhost psad]# cat analysis.out
[+] Version: psad v2.2.3

[+] Top 50 signature matches:
        [NONE]

[+] Top 25 attackers:
      192.168.10.109  DL: 3, Packets: 962, Sig count: 0
      192.168.10.23   DL: 3, Packets: 179, Sig count: 0
      192.168.10.94   DL: 3, Packets: 172, Sig count: 0
      192.168.10.21   DL: 2, Packets: 67, Sig count: 0
      192.168.10.251  DL: 2, Packets: 47, Sig count: 0
      192.168.10.6    DL: 2, Packets: 16, Sig count: 0
      192.168.10.98   DL: 2, Packets: 46, Sig count: 0
      192.168.10.104  DL: 1, Packets: 10, Sig count: 0
      192.168.10.176  DL: 1, Packets: 6, Sig count: 0
      192.168.10.5    DL: 1, Packets: 77, Sig count: 0
      192.168.10.82   DL: 1, Packets: 10, Sig count: 0

[+] Top 20 scanned ports:
      tcp 80    22005 packets

      udp 137   1866 packets
      udp 80    1713 packets
      udp 7423  270 packets
      udp 748   240 packets
      udp 138   97 packets
      udp 67    69 packets
      udp 161   49 packets
      udp 68    1 packets

[+] iptables log prefix counters:
      "iptables icmp warn": 27318

    Total protocol packet counters:
         tcp: 22005 pkts
         udp: 4305 pkts

[+] IP Status Detail:

SRC:  192.168.10.109, DL: 3, Dsts: 1, Pkts: 962, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 962, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.23, DL: 3, Dsts: 2, Pkts: 179, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 67, Pkts: 13, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 166, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.94, DL: 3, Dsts: 2, Pkts: 172, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 67, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 162, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.21, DL: 2, Dsts: 1, Pkts: 67, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 67, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.251, DL: 2, Dsts: 1, Pkts: 47, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 47, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.6, DL: 2, Dsts: 1, Pkts: 16, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 16, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.98, DL: 2, Dsts: 1, Pkts: 46, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 46, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.104, DL: 1, Dsts: 1, Pkts: 10, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.176, DL: 1, Dsts: 1, Pkts: 6, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 6, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.5, DL: 1, Dsts: 2, Pkts: 77, Total protocols: 2, Unique sigs: 0, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 748, Pkts: 72, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0
    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 5, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

SRC:  192.168.10.82, DL: 1, Dsts: 1, Pkts: 10, Total protocols: 1, Unique sigs: 0, Local IP

    DST: 192.168.10.255, Local IP
        Scanned ports: UDP 137-138, Pkts: 10, Chain: INPUT, Intf: eth0
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eth0

    Total scan sources: 11
    Total scan destinations: 2
也可以查看当前状态:
[root@localhost psad]# psad -S
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on localhost
[+] kmsgsd (pid: 52874)  %CPU: 0.0  %MEM: 0.0
    Running since: Thu Jul 31 16:27:01 2014

[+] psad (pid: 52640)  %CPU: 0.2  %MEM: 3.7
    Running since: Thu Jul 31 16:16:46 2014
    Command line arguments: [none specified]
    Alert email address(es): root@localhost

[+] Version: psad v2.2.3

[+] Top 50 signature matches:
        [NONE]

[+] Top 25 attackers:
        [NONE]

[+] Top 20 scanned ports:
      tcp 80    19535 packets

      udp 137   234 packets
      udp 7423  31 packets
      udp 748   24 packets
      udp 138   8 packets
      udp 161   6 packets
      udp 67    5 packets

[+] iptables log prefix counters:
      "iptables icmp warn": 19843

    Total protocol packet counters:
         tcp: 19535 pkts
         udp: 308 pkts

[+] IP Status Detail:
        [NONE]

    Total scan sources: 0
    Total scan destinations: 0

[+] These results are available in: /var/log/psad/status.out


标签: psadfwdataipt_analysisanalysis

作者:良玉 分类:psad 浏览:1241 评论:0
留言列表
发表评论
来宾的头像