mrash / psad

psad: Intrusion Detection and Log Analysis with iptables
http://www.cipherdyne.org/psad/
GNU General Public License v2.0
392 stars 77 forks source link

Psad -S command dont show top 50 signatures #41

Closed joshlinx closed 7 years ago

joshlinx commented 7 years ago

After i updated to 2.4.4 from 2.4.3 when i run psad status it is not showing top sigs anymore. Here is output and config dump and status output. It writes output to /var/log/psad/top_sigs though.

cat /var/log/psad/top_sigs #

Format: ""

#

402 "ICMP Destination Unreachable Port Unreachable" 46 46 icmp 100074 "SCAN UPnP communication attempt" 13 13 udp 384 "ICMP PING" 11 9 icmp 100077 "MISC MS Terminal Server communication attempt" 11 9 tcp 100205 "MISC Microsoft SQL Server communication attempt" 6 5 tcp 381 "ICMP PING Sun Solaris" 5 4 icmp 2375 "BACKDOOR DoomJuice file upload attempt" 4 4 tcp 100084 "MISC HP Web JetAdmin communication attempt" 2 2 tcp 100202 "MISC VNC communication attempt" 2 2 tcp 399 "ICMP Destination Unreachable Host Unreachable" 2 2 icmp 100082 "MISC Microsoft PPTP communication attempt" 1 1 tcp 401 "ICMP Destination Unreachable Network Unreachable" 1 1 icmp 510 "POLICY HP JetDirect LCD communication attempt" 1 1 tcp 100210 "PSAD-CUSTOM fwknop Single Packet Authorization (SPA) packet" 1 1 udp 1846 "POLICY vncviewer Java applet communication attempt" 1 1 tcp

[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on xx.xxx.local [+] psad (pid: 11550) %CPU: 0.0 %MEM: 1.9 Running since: Tue Feb 21 21:52:44 2017 Command line arguments: [none specified] Alert email address(es): admin@localhost

[+] Version: psad v2.4.4

[+] Top 50 signature matches: [NONE]

[+] Top 25 attackers: 101.25.169.106 DL: 2, Packets: 1, Sig count: 1 106.84.91.186 DL: 2, Packets: 1, Sig count: 1 107.179.45.126 DL: 2, Packets: 1, Sig count: 1 108.20.244.36 DL: 2, Packets: 1, Sig count: 1 108.61.184.64 DL: 2, Packets: 1, Sig count: 1 110.181.63.103 DL: 2, Packets: 1, Sig count: 1 110.80.143.150 DL: 2, Packets: 1, Sig count: 1 112.218.1.123 DL: 2, Packets: 1, Sig count: 1 113.231.246.21 DL: 2, Packets: 1, Sig count: 1 114.80.253.90 DL: 2, Packets: 1, Sig count: 1 116.93.254.92 DL: 2, Packets: 1, Sig count: 1 121.183.108.61 DL: 2, Packets: 1, Sig count: 1 123.108.190.212 DL: 2, Packets: 1, Sig count: 1 123.11.38.125 DL: 2, Packets: 1, Sig count: 1 123.151.149.222 DL: 2, Packets: 10, Sig count: 2 124.153.144.199 DL: 2, Packets: 1, Sig count: 1 129.78.96.1 DL: 2, Packets: 2, Sig count: 2 129.82.138.44 DL: 2, Packets: 1, Sig count: 2 139.164.144.97 DL: 2, Packets: 1, Sig count: 1 14.152.95.219 DL: 2, Packets: 1, Sig count: 1 149.11.37.70 DL: 2, Packets: 1, Sig count: 1 171.8.205.208 DL: 2, Packets: 1, Sig count: 1 175.114.33.130 DL: 2, Packets: 1, Sig count: 1 175.205.5.44 DL: 2, Packets: 1, Sig count: 1

[+] Top 20 scanned ports: tcp 23 396 packets tcp 5358 78 packets tcp 7547 44 packets tcp 80 34 packets tcp 22 31 packets tcp 2323 21 packets tcp 443 16 packets tcp 35356 15 packets tcp 3389 13 packets tcp 3306 7 packets tcp 8080 7 packets tcp 1433 6 packets tcp 10137 6 packets tcp 8009 4 packets tcp 3128 4 packets tcp 2222 4 packets tcp 21 3 packets tcp 26197 3 packets tcp 10706 3 packets tcp 27017 3 packets

  udp 56699 119 packets
  udp 51098 108 packets
  udp 51097 59 packets
  udp 56698 44 packets
  udp 5060  35 packets
  udp 60329 32 packets
  udp 50674 19 packets
  udp 1900  13 packets
  udp 16403 12 packets
  udp 443   5 packets
  udp 80    5 packets
  udp 35356 5 packets
  udp 123   4 packets
  udp 161   3 packets
  udp 53    3 packets
  udp 58337 2 packets
  udp 54504 2 packets
  udp 60545 2 packets
  udp 5071  1 packets
  udp 53413 1 packets

[+] iptables log prefix counters: "DROP PKT": 55740 "INVALID PKT": 1306

[+] psad v2.4.4

[+] /var/log/psad/install.log exists.

[+] Dumping psad config from: /etc/psad/psad.conf

AIM_SERVERS                (removed)
ALERTING_METHODS           noemail
ALERT_ALL                  Y
ANALYSIS_MODE_DIR          /var/log/psad/ipt_analysis
ANALYSIS_OUTPUT_FILE       /var/log/psad/analysis.out
AUTO_BLOCK_DL1_TIMEOUT     3600
AUTO_BLOCK_DL2_TIMEOUT     3600
AUTO_BLOCK_DL3_TIMEOUT     3600
AUTO_BLOCK_DL4_TIMEOUT     3600
AUTO_BLOCK_DL5_TIMEOUT     0
AUTO_BLOCK_IPT_FILE        /var/log/psad/auto_blocked_iptables
AUTO_BLOCK_REGEX           ESTAB
AUTO_BLOCK_TCPWR_FILE      /var/log/psad/auto_blocked_tcpwr
AUTO_BLOCK_TIMEOUT         3600
AUTO_DETECT_JOURNALCTL     N
AUTO_DL_FILE               /etc/psad/auto_dl
AUTO_IDS_DANGER_LEVEL      5
AUTO_IPT_SOCK              /var/run/psad/auto_ipt.sock
CHECK_INTERVAL             5
CONF_ARCHIVE_DIR           /etc/psad/archive
CUSTOM_SYSLOG_TS_RE        ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:
DANGER_LEVEL1              5
DANGER_LEVEL2              15
DANGER_LEVEL3              150
DANGER_LEVEL4              1500
DANGER_LEVEL5              10000
DISK_CHECK_INTERVAL        300
DISK_MAX_PERCENTAGE        95
DISK_MAX_RM_RETRIES        10
DNS_LOOKUP_THRESHOLD       20
DNS_SERVERS                (removed)
DSHIELD_ALERT_EMAIL        reports@dshield.org
DSHIELD_ALERT_INTERVAL     6
DSHIELD_COUNTER_FILE       /var/log/psad/dshield_ctr
DSHIELD_DL_THRESHOLD       0
DSHIELD_EMAIL_FILE         /var/log/psad/dshield.email
DSHIELD_USER_EMAIL         (removed)
DSHIELD_USER_ID            (removed)
EMAIL_ADDRESSES            (removed)
EMAIL_ALERT_DANGER_LEVEL   1
EMAIL_LIMIT                0
EMAIL_LIMIT_STATUS_MSG     Y
EMAIL_THROTTLE             0
ENABLE_AUTO_IDS            N
ENABLE_AUTO_IDS_EMAILS     Y
ENABLE_AUTO_IDS_REGEX      N
ENABLE_CUSTOM_SYSLOG_TS_RE N
ENABLE_DNS_LOOKUPS         Y
ENABLE_DSHIELD_ALERTS      N
ENABLE_EMAIL_LIMIT_PER_DST N
ENABLE_EXT_BLOCK_SCRIPT_EXEC N
ENABLE_EXT_SCRIPT_EXEC     N
ENABLE_FW_LOGGING_CHECK    Y
ENABLE_FW_MSG_READ_CMD     N
ENABLE_INTF_LOCAL_NETS     Y
ENABLE_IPV6_DETECTION      N
ENABLE_MAC_ADDR_REPORTING  N
ENABLE_PERSISTENCE         Y
ENABLE_PSADWATCHD          N
ENABLE_RENEW_BLOCK_EMAILS  N
ENABLE_SCAN_ARCHIVE        N
ENABLE_SIG_MSG_SYSLOG      Y
ENABLE_SNORT_SIG_STRICT    Y
ENABLE_SYSLOG_FILE         Y
ENABLE_WHOIS_FORCE_ASCII   N
ENABLE_WHOIS_FORCE_SRC_IP  N
ENABLE_WHOIS_LOOKUPS       Y
ETC_HOSTS_DENY_FILE        /etc/hosts.deny
ETC_METALOG_CONF           /etc/metalog/metalog.conf
ETC_RSYSLOG_CONF           /etc/rsyslog.conf
ETC_SYSLOGNG_CONF          /etc/syslog-ng/syslog-ng.conf
ETC_SYSLOG_CONF            /etc/syslog.conf
EXEC_EXT_SCRIPT_PER_ALERT  N
EXPECT_TCP_OPTIONS         Y
EXTERNAL_BLOCK_SCRIPT      /bin/true
EXTERNAL_NET               (removed)
EXTERNAL_SCRIPT            /bin/true
FLUSH_IPT_AT_INIT          Y
FWSNORT_RULES_DIR          /etc/fwsnort/snort_rules
FW_CHECK_FILE              /var/log/psad/fw_check
FW_DATA_FILE               /var/log/psad/fwdata
FW_ERROR_LOG               /var/log/psad/errs/fwerrorlog
FW_MSG_READ_CMD            /bin/journalctl
FW_MSG_READ_CMD_ARGS       -f -k
FW_MSG_READ_MIN_PKTS       30
FW_MSG_SEARCH              PKT
FW_SEARCH_ALL              Y
HOME_NET                   (removed)
HOSTNAME                   (removed)
HTTP_PORTS                 80
HTTP_SERVERS               (removed)
ICMP6_TYPES_FILE           /etc/psad/icmp6_types
ICMP_TYPES_FILE            /etc/psad/icmp_types
IFCFGTYPE                  ifconfig
IGNORE_CONNTRACK_BUG_PKTS  Y
IGNORE_INTERFACES          eth1.100
IGNORE_KERNEL_TIMESTAMP    Y
IGNORE_LOG_PREFIXES        NONE
IGNORE_PORTS               NONE
IGNORE_PROTOCOLS           NONE
IMPORT_OLD_SCANS           N
INSTALL_LOG_FILE           /var/log/psad/install.log
INSTALL_ROOT               /
IPTABLES_BLOCK_METHOD      Y
IPTABLES_PREREQ_CHECK      1
IPT_AUTO_CHAIN1            DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1
IPT_AUTO_CHAIN2            DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1
IPT_AUTO_CHAIN3            DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1
IPT_ERROR_PATTERN          psad_ipterr.XXXXXX
IPT_OUTPUT_PATTERN         psad_iptout.XXXXXX
IPT_PREFIX_COUNTER_FILE    /var/log/psad/ipt_prefix_ctr
IPT_SYSLOG_FILE            /var/log/messages
IPT_WRITE_FWDATA           Y
IP_OPTS_FILE               /etc/psad/ip_options
KMSGSD_PID_FILE            /var/run/psad/kmsgsd.pid
MAIL_ALERT_PREFIX          [psad-alert]
MAIL_ERROR_PREFIX          [psad-error]
MAIL_FATAL_PREFIX          [psad-fatal]
MAIL_STATUS_PREFIX         [psad-status]
MAX_HOPS                   20
MAX_SCAN_IP_PAIRS          0
MIN_ARCHIVE_DANGER_LEVEL   1
MIN_DANGER_LEVEL           1
ORACLE_PORTS               1521
P0F_FILE                   /etc/psad/pf.os
PACKET_COUNTER_FILE        /var/log/psad/packet_ctr
PERSISTENCE_CTR_THRESHOLD  5
PORT_RANGE_SCAN_THRESHOLD  1
POSF_FILE                  /etc/psad/posf
PRINT_SCAN_HASH            /var/log/psad/scan_hash
PROC_FORWARD_FILE          /proc/sys/net/ipv4/ip_forward
PROTOCOLS_FILE             /etc/psad/protocols
PROTOCOL_SCAN_THRESHOLD    5
PSADWATCHD_CHECK_INTERVAL  5
PSADWATCHD_MAX_RETRIES     10
PSADWATCHD_PID_FILE        /var/run/psad/psadwatchd.pid
PSAD_CMDLINE_FILE          /var/run/psad/psad.cmd
PSAD_CONF_DIR              /etc/psad
PSAD_DIR                   /var/log/psad
PSAD_ERR_DIR               /var/log/psad/errs
PSAD_FIFO_DIR              /var/lib/psad
PSAD_FIFO_FILE             /var/lib/psad/psadfifo
PSAD_FW_READ_PID_FILE      /var/run/psad/psad_fw_read.pid
PSAD_LIBS_DIR              /usr/lib/psad
PSAD_PID_FILE              /var/run/psad/psad.pid
PSAD_RUN_DIR               /var/run/psad
SCAN_DATA_ARCHIVE_DIR      /var/log/psad/scan_archive
SCAN_TIMEOUT               3600
SHELLCODE_PORTS            !80
SHOW_ALL_SIGNATURES        Y
SIGS_FILE                  /etc/psad/signatures
SIG_MSG_SYSLOG_THRESHOLD   10
SIG_SID_SYSLOG_THRESHOLD   10
SIG_UPDATE_URL             http://www.cipherdyne.org/psad/signatures
SMTP_SERVERS               (removed)
SNORT_RULES_DIR            /etc/psad/snort_rules
SNORT_RULE_DL_FILE         /etc/psad/snort_rule_dl
SNORT_SID_STR              SID
SQL_SERVERS                (removed)
STATUS_IP_THRESHOLD        25
STATUS_OUTPUT_FILE         /var/log/psad/status.out
STATUS_PORTS_THRESHOLD     20
STATUS_SIGS_THRESHOLD      50
SYSLOG_DAEMON              syslogd
SYSLOG_FACILITY            LOG_LOCAL7
SYSLOG_IDENTITY            psad
SYSLOG_PRIORITY            LOG_INFO
TCPWRAPPERS_BLOCK_METHOD   N
TELNET_SERVERS             (removed)
TOP_ATTACKERS_FILE         /var/log/psad/top_attackers
TOP_IP_LOG_THRESHOLD       500
TOP_PORTS_LOG_THRESHOLD    500
TOP_SCANNED_PORTS_FILE     /var/log/psad/top_ports
TOP_SCANS_CTR_THRESHOLD    1
TOP_SIGS_FILE              /var/log/psad/top_sigs
TOP_SIGS_LOG_THRESHOLD     500
TRUNCATE_FWDATA            Y
ULOG_DATA_FILE             /var/log/psad/ulogd.log
USE_FW_MSG_READ_CMD_ARGS   Y
WHOIS_LOOKUP_THRESHOLD     20
WHOIS_TIMEOUT              60

[+] Command paths:

[+] df /bin/df [+] fwcheck_psad /usr/sbin/fwcheck_psad [+] gzip /bin/gzip [+] ifconfig /sbin/ifconfig [+] ip /sbin/ip [+] ip6tables /sbin/ip6tables [+] iptables /sbin/iptables [+] killall /usr/bin/killall [+] kmsgsd /usr/sbin/kmsgsd [+] mail /bin/mail [+] mknod /bin/mknod [+] netstat /bin/netstat [+] ps /bin/ps [+] psad /usr/sbin/psad [+] psadwatchd /usr/sbin/psadwatchd [+] sendmail /usr/sbin/sendmail [+] sh /bin/sh [+] uname /bin/uname [+] wget /usr/bin/wget [+] whois /usr/bin/whois_psad

mrash commented 7 years ago

Thanks, I'll get this fixed within a day or so.

mrash commented 7 years ago

Fixed in 60c2e209, thanks.