After i updated to 2.4.4 from 2.4.3 when i run psad status it is not showing top sigs anymore. Here is output and config dump and status output. It writes output to /var/log/psad/top_sigs though.
cat /var/log/psad/top_sigs
#
Format: ""
#
402 "ICMP Destination Unreachable Port Unreachable" 46 46 icmp
100074 "SCAN UPnP communication attempt" 13 13 udp
384 "ICMP PING" 11 9 icmp
100077 "MISC MS Terminal Server communication attempt" 11 9 tcp
100205 "MISC Microsoft SQL Server communication attempt" 6 5 tcp
381 "ICMP PING Sun Solaris" 5 4 icmp
2375 "BACKDOOR DoomJuice file upload attempt" 4 4 tcp
100084 "MISC HP Web JetAdmin communication attempt" 2 2 tcp
100202 "MISC VNC communication attempt" 2 2 tcp
399 "ICMP Destination Unreachable Host Unreachable" 2 2 icmp
100082 "MISC Microsoft PPTP communication attempt" 1 1 tcp
401 "ICMP Destination Unreachable Network Unreachable" 1 1 icmp
510 "POLICY HP JetDirect LCD communication attempt" 1 1 tcp
100210 "PSAD-CUSTOM fwknop Single Packet Authorization (SPA) packet" 1 1 udp
1846 "POLICY vncviewer Java applet communication attempt" 1 1 tcp
[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on xx.xxx.local
[+] psad (pid: 11550) %CPU: 0.0 %MEM: 1.9
Running since: Tue Feb 21 21:52:44 2017
Command line arguments: [none specified]
Alert email address(es): admin@localhost
[+] Version: psad v2.4.4
[+] Top 50 signature matches:
[NONE]
[+] Top 25 attackers:
101.25.169.106 DL: 2, Packets: 1, Sig count: 1
106.84.91.186 DL: 2, Packets: 1, Sig count: 1
107.179.45.126 DL: 2, Packets: 1, Sig count: 1
108.20.244.36 DL: 2, Packets: 1, Sig count: 1
108.61.184.64 DL: 2, Packets: 1, Sig count: 1
110.181.63.103 DL: 2, Packets: 1, Sig count: 1
110.80.143.150 DL: 2, Packets: 1, Sig count: 1
112.218.1.123 DL: 2, Packets: 1, Sig count: 1
113.231.246.21 DL: 2, Packets: 1, Sig count: 1
114.80.253.90 DL: 2, Packets: 1, Sig count: 1
116.93.254.92 DL: 2, Packets: 1, Sig count: 1
121.183.108.61 DL: 2, Packets: 1, Sig count: 1
123.108.190.212 DL: 2, Packets: 1, Sig count: 1
123.11.38.125 DL: 2, Packets: 1, Sig count: 1
123.151.149.222 DL: 2, Packets: 10, Sig count: 2
124.153.144.199 DL: 2, Packets: 1, Sig count: 1
129.78.96.1 DL: 2, Packets: 2, Sig count: 2
129.82.138.44 DL: 2, Packets: 1, Sig count: 2
139.164.144.97 DL: 2, Packets: 1, Sig count: 1
14.152.95.219 DL: 2, Packets: 1, Sig count: 1
149.11.37.70 DL: 2, Packets: 1, Sig count: 1
171.8.205.208 DL: 2, Packets: 1, Sig count: 1
175.114.33.130 DL: 2, Packets: 1, Sig count: 1
175.205.5.44 DL: 2, Packets: 1, Sig count: 1
After i updated to 2.4.4 from 2.4.3 when i run psad status it is not showing top sigs anymore. Here is output and config dump and status output. It writes output to /var/log/psad/top_sigs though.
cat /var/log/psad/top_sigs #
Format: ""
#
402 "ICMP Destination Unreachable Port Unreachable" 46 46 icmp 100074 "SCAN UPnP communication attempt" 13 13 udp 384 "ICMP PING" 11 9 icmp 100077 "MISC MS Terminal Server communication attempt" 11 9 tcp 100205 "MISC Microsoft SQL Server communication attempt" 6 5 tcp 381 "ICMP PING Sun Solaris" 5 4 icmp 2375 "BACKDOOR DoomJuice file upload attempt" 4 4 tcp 100084 "MISC HP Web JetAdmin communication attempt" 2 2 tcp 100202 "MISC VNC communication attempt" 2 2 tcp 399 "ICMP Destination Unreachable Host Unreachable" 2 2 icmp 100082 "MISC Microsoft PPTP communication attempt" 1 1 tcp 401 "ICMP Destination Unreachable Network Unreachable" 1 1 icmp 510 "POLICY HP JetDirect LCD communication attempt" 1 1 tcp 100210 "PSAD-CUSTOM fwknop Single Packet Authorization (SPA) packet" 1 1 udp 1846 "POLICY vncviewer Java applet communication attempt" 1 1 tcp
[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on xx.xxx.local [+] psad (pid: 11550) %CPU: 0.0 %MEM: 1.9 Running since: Tue Feb 21 21:52:44 2017 Command line arguments: [none specified] Alert email address(es): admin@localhost
[+] Version: psad v2.4.4
[+] Top 50 signature matches: [NONE]
[+] Top 25 attackers: 101.25.169.106 DL: 2, Packets: 1, Sig count: 1 106.84.91.186 DL: 2, Packets: 1, Sig count: 1 107.179.45.126 DL: 2, Packets: 1, Sig count: 1 108.20.244.36 DL: 2, Packets: 1, Sig count: 1 108.61.184.64 DL: 2, Packets: 1, Sig count: 1 110.181.63.103 DL: 2, Packets: 1, Sig count: 1 110.80.143.150 DL: 2, Packets: 1, Sig count: 1 112.218.1.123 DL: 2, Packets: 1, Sig count: 1 113.231.246.21 DL: 2, Packets: 1, Sig count: 1 114.80.253.90 DL: 2, Packets: 1, Sig count: 1 116.93.254.92 DL: 2, Packets: 1, Sig count: 1 121.183.108.61 DL: 2, Packets: 1, Sig count: 1 123.108.190.212 DL: 2, Packets: 1, Sig count: 1 123.11.38.125 DL: 2, Packets: 1, Sig count: 1 123.151.149.222 DL: 2, Packets: 10, Sig count: 2 124.153.144.199 DL: 2, Packets: 1, Sig count: 1 129.78.96.1 DL: 2, Packets: 2, Sig count: 2 129.82.138.44 DL: 2, Packets: 1, Sig count: 2 139.164.144.97 DL: 2, Packets: 1, Sig count: 1 14.152.95.219 DL: 2, Packets: 1, Sig count: 1 149.11.37.70 DL: 2, Packets: 1, Sig count: 1 171.8.205.208 DL: 2, Packets: 1, Sig count: 1 175.114.33.130 DL: 2, Packets: 1, Sig count: 1 175.205.5.44 DL: 2, Packets: 1, Sig count: 1
[+] Top 20 scanned ports: tcp 23 396 packets tcp 5358 78 packets tcp 7547 44 packets tcp 80 34 packets tcp 22 31 packets tcp 2323 21 packets tcp 443 16 packets tcp 35356 15 packets tcp 3389 13 packets tcp 3306 7 packets tcp 8080 7 packets tcp 1433 6 packets tcp 10137 6 packets tcp 8009 4 packets tcp 3128 4 packets tcp 2222 4 packets tcp 21 3 packets tcp 26197 3 packets tcp 10706 3 packets tcp 27017 3 packets
[+] iptables log prefix counters: "DROP PKT": 55740 "INVALID PKT": 1306
[+] psad v2.4.4
[+] /var/log/psad/install.log exists.
[+] Dumping psad config from: /etc/psad/psad.conf
[+] Command paths:
[+] df /bin/df [+] fwcheck_psad /usr/sbin/fwcheck_psad [+] gzip /bin/gzip [+] ifconfig /sbin/ifconfig [+] ip /sbin/ip [+] ip6tables /sbin/ip6tables [+] iptables /sbin/iptables [+] killall /usr/bin/killall [+] kmsgsd /usr/sbin/kmsgsd [+] mail /bin/mail [+] mknod /bin/mknod [+] netstat /bin/netstat [+] ps /bin/ps [+] psad /usr/sbin/psad [+] psadwatchd /usr/sbin/psadwatchd [+] sendmail /usr/sbin/sendmail [+] sh /bin/sh [+] uname /bin/uname [+] wget /usr/bin/wget [+] whois /usr/bin/whois_psad