psad has historically handled only iptables on Linux. Update psad to handle the PF firewall on OpenBSD systems.

Hello!
awesome software!
Worked perfectly on my previous OpenSuse 13.2, now i upgraded to 42.1, and somehow i get lots of defunct processes, keeps increasing after start. Happened with 2.4.3, and 2.4.4 too.
Any ideea why? Mention i use it on 3 more servers, centos, ubuntu, and have no problem on them.
Thanks!

dacia:/home/rocknroll/psad-2.4.4 # systemctl start psad.service
dacia:/home/rocknroll/psad-2.4.4 # ps fauxw | grep psad
root 40581 0.0 0.0 9284 1552 pts/0 S+ 00:08 0:00 _ grep --color=auto psad
root 40568 0.0 0.4 69212 38020 ? Ss 00:08 0:00 /usr/bin/perl -w /usr/sbin/psad -c /etc/psad/psad.conf
root 40569 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40576 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
dacia:/home/rocknroll/psad-2.4.4 # ps fauxw | grep psad
root 40586 0.0 0.0 9284 1576 pts/0 S+ 00:08 0:00 _ grep --color=auto psad
root 40568 0.0 0.4 69212 38020 ? Ss 00:08 0:00 /usr/bin/perl -w /usr/sbin/psad -c /etc/psad/psad.conf
root 40569 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40576 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
dacia:/home/rocknroll/psad-2.4.4 # ps fauxw | grep psad
root 40605 0.0 0.0 9284 1576 pts/0 S+ 00:08 0:00 _ grep --color=auto psad
root 40568 0.0 0.4 69212 38084 ? Ss 00:08 0:00 /usr/bin/perl -w /usr/sbin/psad -c /etc/psad/psad.conf
root 40569 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40576 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40594 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
dacia:/home/rocknroll/psad-2.4.4 # ps fauxw | grep psad
root 40645 0.0 0.0 9284 1616 pts/0 S+ 00:08 0:00 _ grep --color=auto psad
root 40568 0.0 0.4 69212 38084 ? Ss 00:08 0:00 /usr/bin/perl -w /usr/sbin/psad -c /etc/psad/psad.conf
root 40569 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40576 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40594 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]
root 40635 0.0 0.0 0 0 ? Z 00:08 0:00 _ [psad]

psad has historically only support iptables on Linux systems - add support for ipfw on FreeBSD and Mac OS X systems.

Hello, I would like the sending profile to be different. Currently, the alerting is working fine and I'm getting the emails I want. However the from is "root [email protected]" and I want this to be "Monitoring [email protected]". I've poked around the config and found the entry to the DSHIELD_USER_MAIL, but I'm only monitoring and this did not change the email I received.

When nftables is released in the mainline kernel psad should support it. iptables support will of course need to be retained, but nftables should be supported as well. This follows Tim Heckman's suggestion to do the same for fwknop.

[+] psadwatchd (pid: 24905) %CPU: 0.0 %MEM: 0.0
Running since: Tue Aug 18 00:42:43 2015

[+] psad (pid: 24901) %CPU: 0.0 %MEM: 0.2
Running since: Tue Aug 18 00:42:43 2015
Command line arguments: [none specified]
Alert email address(es): root@localhost [email protected]

[+] Version: psad v2.4.1

[+] Top 50 signature matches:
[NONE]

[+] Top 25 attackers:
[NONE]

[+] Top 20 scanned ports:
[NONE]

[+] iptables log prefix counters:
[NONE]

Total protocol packet counters:

[+] IP Status Detail:
[NONE]

Total scan sources: 0
Total scan destinations: 0

[+] These results are available in: /var/log/psad/status.out

target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
PSAD_BLOCK_INPUT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PSAD_BLOCK_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Chain PSAD_BLOCK_INPUT (1 references)
target prot opt source destination

Chain PSAD_BLOCK_OUTPUT (1 references)
target prot opt source destination

hi,
I hope you will be fine. I have faced issue while white-listing my local network using auto_dl file. Actually, i want to ignore certain ports of udp & tcp against my local network and it is not working fine. However, it currently supports range of ports.
I also need some information about my following configuration in the auto_dl. Can you check it please. i want different danger level for different ports and protocols.

10.10.1.0/24 3 tcp/22,tcp/999,tcp/80,tcp/443;
10.10.1.0/24 1 icmp;
10.10.1.0/24 1 udp/1.65536 ;

Whenever I execute psad --Status it writes to socket the ips, removing them from the block. Why?

As reported to the psad mailing list, psad-2.1.7 on OpenSuSE 10.3 has the following issue:

/etc/init.d/psad start

Starting psad: Undefined subroutine &main::LOG_DAEMON called at /usr/sbin/psad line 9443.

There has also been one report of this on CentOS 5.6.

Current situation

The package on AUR is simply broken, the reason of death remains unknown, and no matter what modification has done to the PKGBUILD(the installation script), it fails the whole installation.

Suggestion / Proposal

Add support to systemd, and if possible(I know it's too much to ask) fix the PKGBUILD.

I am really hoping someone could fix this, but it seems nobody cares which leads me here to report. Archlinux is good at some point, and bad at some other point. However we still have a quite active community at ArchLinux, and I don't want to give up on this distro.

For remainder.

A Debian user has opened the following bug on psad:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724267

with TCPWRAPPERS_BLOCK_METHOD=Y psad modifies the current permissions of /etc/hosts.deny

Argument "1.6.1" isn't numeric in numeric gt (>) at /usr/lib/psad/IPTables/ChainMgr.pm line 414.

This occurred with version 2.4.2, which actually reports itself as 2.4.1. It still seems to be functioning properly and I'm not sure if it is an environment issue since it hasn't been previously reported.

I'm testing PSAD on both Fedora 25 and Fedora 26, on both systems I get emails that according to PSAD I "may need to add a default logging rule", which I have:

# iptables-save | grep DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "DROP INPUT " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD ! -i lo -j LOG --log-prefix "DROP FORWARD " --log-tcp-options --log-ip-options
-A OUTPUT -m conntrack --ctstate INVALID -j DROP

# iptables -vnL --line-numbers | grep DROP 
7      119  4760 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
16       0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 4 prefix "DROP INPUT "
17       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
11       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
15       0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 4 prefix "DROP FORWARD "
2        9   360 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

When I try to add an IP manually I get these errors:

# psad --fw-block-ip 172.11.11.0/24 -v
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -w -t filter -n -L INPUT
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x22935a8)
Wed Jul 26 15:32:20 2017     firewall-cmd command stdout:
Wed Jul 26 15:32:20 2017     firewall-cmd command stderr:
FirewallD is not running
Wed Jul 26 15:32:20 2017     Return value: 0
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L INPUT
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x22935a8)
Wed Jul 26 15:32:20 2017     firewall-cmd command stdout:
Wed Jul 26 15:32:20 2017     firewall-cmd command stderr:
FirewallD is not running
Wed Jul 26 15:32:20 2017     Return value: 0
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L OUTPUT
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x22935a8)
Wed Jul 26 15:32:20 2017     firewall-cmd command stdout:
Wed Jul 26 15:32:20 2017     firewall-cmd command stderr:
FirewallD is not running
Wed Jul 26 15:32:20 2017     Return value: 0
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L FORWARD
Wed Jul 26 15:32:20 2017 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x22935a8)
Wed Jul 26 15:32:21 2017     firewall-cmd command stdout:
Wed Jul 26 15:32:21 2017     firewall-cmd command stderr:
FirewallD is not running
Wed Jul 26 15:32:21 2017     Return value: 0
[+] Writing 172.11.11.0/24 to socket; psad will add the IP
    within 5 seconds.

Meaning that somehow FirewallD is the default, but these are setup in my psad.conf, there is no mention of FirewallD:

# egrep -i 'ip[6]?tablesCmd|firewalld' /etc/psad/psad.conf
iptablesCmd      /sbin/iptables;
ip6tablesCmd     /sbin/ip6tables;

I don't use FirewallD, I only use the native iptable services for flexibility:

# systemctl status firewalld iptables ip6tables
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since wo 2017-07-26 08:51:11 CEST; 6h ago
 Main PID: 1080 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/iptables.service

jul 26 08:51:11 defiant systemd[1]: Starting IPv4 firewall with iptables...
jul 26 08:51:11 defiant iptables.init[1080]: iptables: Applying firewall rules: [  OK  ]
jul 26 08:51:11 defiant systemd[1]: Started IPv4 firewall with iptables.

● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
   Active: active (exited) since wo 2017-07-26 08:51:11 CEST; 6h ago
 Main PID: 1084 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/ip6tables.service

jul 26 08:51:11 defiant systemd[1]: Starting IPv6 firewall with ip6tables...
jul 26 08:51:11 defiant ip6tables.init[1084]: ip6tables: Applying firewall rules: [  OK  ]
jul 26 08:51:11 defiant systemd[1]: Started IPv6 firewall with ip6tables.

I expect to use PSAD with iptables, I therefore would like to request this feature, tested with psad-2.4.3-3.fc25.x86_64 and psad-2.4.3-4.fc26.x86_64

When journalctl is used on a system for accessing syslog data, then the traditional /var/log/* syslog files don't exist. psad needs to be able to handle this.

Brad Rubenstein submitted the following bug report:

--- bug report ---

OS: Fedora Core 19
RPM: psad-2.2.1-1.fc19.x86_64
Subject: psad --HUP returns failure exit code upon successful
completion, causes logrotate errors

To reproduce: install the psad rpm, which includes
/etc/logrotate.d/psad, which calls psad --HUP

Symptom: we get email from cron:

/etc/cron.daily/logrotate:                                                                                                                                                    

[+] HUP signal sent to psadwatchd (pid: 19968)                                                                                                                                
[+] HUP signal sent to psad (pid: 19965)                                                                                                                                      
error: error running non-shared postrotate script for /var/log/psad/fwdata of '/var/log/psad/fwdata '                                                                         

We get an error return, even when the command succeeds:

# psad --HUP                                                                                                                                                                  
# echo $?                                                                                                                                                                     
1                                                                                                                                                                             
#                                                                                                                                                                             

Workaround: disable error reporting by replacing psad --HUP with psad
--HUP || true

Albert Whale reported the following to the psad mailing list:

Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line 6961.
[+] Version: psad v2.2.3

Additionally, I occasionally see that the count down timers have exceeds their counting, and will be written to the iptables messages.

[+] mkdir /var/log/psad, 700
[*] Could not find killall anywhere!!!  Please edit the config section to include the path to killall. at ./install.pl line 2162.

Hello,

I just want to report this error (because as today, it's seem to not longer exist (under Stretch (aka Debian 9)).

Kind regards.

PS : Almost 2 weeks later. Then for the moment, one solution might be to first run this command : apt install psad. Once it's done, the error might be gone and apparently it was updated (psad_v2.4.3 --->psad_v2.4.5 by the command : ./install.pl).

since net-tools commit 36b541c (2 Dec 2011) 'ifconfig' and 'route' was moved to /bin and while many distros still use /sbin, Gentoo for example don't, and the check to make sure the commands specified in the config section are in the right place, and attempt to correct automatically if not, doesn't appear to work for me, when running 'psad -D'

perl debug output of error

[+] ifconfig output:
Can't exec "/sbin/ifconfig": No such file or directory at /usr/sbin/psad line 10678.
 at /usr/sbin/psad line 10678.
        main::run_command("/sbin/ifconfig", "-a") called at /usr/sbin/psad line 10514
        main::dump_conf() called at /usr/sbin/psad line 3301
        main::psad_init() called at /usr/sbin/psad line 658
[*] Could not execute /sbin/ifconfig -a: No such file or directory at /usr/sbin/psad line 10678.
 at /usr/sbin/psad line 10678.
        main::run_command("/sbin/ifconfig", "-a") called at /usr/sbin/psad line 10514
        main::dump_conf() called at /usr/sbin/psad line 3301
        main::psad_init() called at /usr/sbin/psad line 658
Debugged program terminated.  

file locations:

root@[Gentoo]~/:>ls -al /{s,}bin/{ifconfig,ip,ifcfg}
ls: cannot access /sbin/ifconfig: No such file or directory
ls: cannot access /sbin/ip: No such file or directory
ls: cannot access /bin/ifcfg: No such file or directory
-rwxr-xr-x 1 root root  72504 Dec  2 12:11 /bin/ifconfig
-rwxr-xr-x 1 root root 376080 Mar 24 15:01 /bin/ip
-rwxr-xr-x 1 root root   3056 Mar 24 15:01 /sbin/ifcfg
root@[Gentoo]~/:>

installed package versions:

root@[Gentoo]~/:>equery list iproute2 net-tools psad
 * Searching for iproute2 ...
[IP-] [  ] sys-apps/iproute2-4.4.0:0

 * Searching for net-tools ...
[IP-] [  ] sys-apps/net-tools-1.60_p20141019041918-r1:0

 * Searching for psad ...
[IP-] [  ] net-firewall/psad-2.4.3:0
root@[Gentoo]~/:>

psad should integrate reputation feeds that contain IP only or IP+port matching criteria. There are good examples from the Emerging Threats community.

psad currently detects malicious traffic delivered via IPv6, but cannot also block such traffic in auto-blocking mode. psad should be extended to use ip6tables to close this gap.

1min 17.793s psad.service

Is this normal?

My system is a VirtualBox 5.1.18 guest running Ubuntu 16.04.2 LTS

psad v2.2.3 by Michael Rash [email protected]

apt-get tells me that I have the latest, psad v2.2.3-1

Recent RHEL and CentOS distros have moved to firewalld. psad needs to support this.

On a Slackware system, I get this:

[*] Could not find/execute iptables, specify path via _iptables
 at /usr/lib/psad/IPTables/ChainMgr.pm line 37.

Would it be possible for ChainMgr to check the availability of iptables & ip6tables also from /usr/sbin or use the iptablesCmd & ip6tablesCmd variables from /etc/psad/psad.conf?

I'm faced with this erro

[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on localhost.localdomain. For more information,
see the file "README" in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

But this is my iptables rules:

[root@localhost Downloads]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

there is som problem?

Given the behavior of both knockknock and fwknop, it should be possible to write psad signatures to detect both pieces of software. For example, non-zero TCP ACK fields along with non-default TCP window sizes within the TCP SYN packets that knocknock produces should be detectable. For fwknop, looking for the default UDP port of 62201 combined with the minimum expected data length should be a good indicator.

Is it possible to add feature for counting unique scanned hosts and calculate DL based also on it?
I routed traffic for unused at the moment IP addresses to the server with psad installed.
And I see a lot of scanning my hosts for open port or attempt to exploit some vulnerability on a number of hosts.
Even in syslog there is good seen enumerating.
I'd like to find and block such activity, but psad simply skip it with DL=1, because every destination host receives only few packets.

Add an init script for systems running systemd. This issue was reported by Robert Watson to the psad mailing list.

After i updated to 2.4.4 from 2.4.3 when i run psad status it is not showing top sigs anymore. Here is output and config dump and status output. It writes output to /var/log/psad/top_sigs though.

cat /var/log/psad/top_sigs

Format: "" <num_sources> <sig_proto>

402 "ICMP Destination Unreachable Port Unreachable" 46 46 icmp
100074 "SCAN UPnP communication attempt" 13 13 udp
384 "ICMP PING" 11 9 icmp
100077 "MISC MS Terminal Server communication attempt" 11 9 tcp
100205 "MISC Microsoft SQL Server communication attempt" 6 5 tcp
381 "ICMP PING Sun Solaris" 5 4 icmp
2375 "BACKDOOR DoomJuice file upload attempt" 4 4 tcp
100084 "MISC HP Web JetAdmin communication attempt" 2 2 tcp
100202 "MISC VNC communication attempt" 2 2 tcp
399 "ICMP Destination Unreachable Host Unreachable" 2 2 icmp
100082 "MISC Microsoft PPTP communication attempt" 1 1 tcp
401 "ICMP Destination Unreachable Network Unreachable" 1 1 icmp
510 "POLICY HP JetDirect LCD communication attempt" 1 1 tcp
100210 "PSAD-CUSTOM fwknop Single Packet Authorization (SPA) packet" 1 1 udp
1846 "POLICY vncviewer Java applet communication attempt" 1 1 tcp

[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on xx.xxx.local
[+] psad (pid: 11550) %CPU: 0.0 %MEM: 1.9
Running since: Tue Feb 21 21:52:44 2017
Command line arguments: [none specified]
Alert email address(es): admin@localhost

[+] Version: psad v2.4.4

[+] Top 50 signature matches:
[NONE]

[+] Top 25 attackers:
101.25.169.106 DL: 2, Packets: 1, Sig count: 1
106.84.91.186 DL: 2, Packets: 1, Sig count: 1
107.179.45.126 DL: 2, Packets: 1, Sig count: 1
108.20.244.36 DL: 2, Packets: 1, Sig count: 1
108.61.184.64 DL: 2, Packets: 1, Sig count: 1
110.181.63.103 DL: 2, Packets: 1, Sig count: 1
110.80.143.150 DL: 2, Packets: 1, Sig count: 1
112.218.1.123 DL: 2, Packets: 1, Sig count: 1
113.231.246.21 DL: 2, Packets: 1, Sig count: 1
114.80.253.90 DL: 2, Packets: 1, Sig count: 1
116.93.254.92 DL: 2, Packets: 1, Sig count: 1
121.183.108.61 DL: 2, Packets: 1, Sig count: 1
123.108.190.212 DL: 2, Packets: 1, Sig count: 1
123.11.38.125 DL: 2, Packets: 1, Sig count: 1
123.151.149.222 DL: 2, Packets: 10, Sig count: 2
124.153.144.199 DL: 2, Packets: 1, Sig count: 1
129.78.96.1 DL: 2, Packets: 2, Sig count: 2
129.82.138.44 DL: 2, Packets: 1, Sig count: 2
139.164.144.97 DL: 2, Packets: 1, Sig count: 1
14.152.95.219 DL: 2, Packets: 1, Sig count: 1
149.11.37.70 DL: 2, Packets: 1, Sig count: 1
171.8.205.208 DL: 2, Packets: 1, Sig count: 1
175.114.33.130 DL: 2, Packets: 1, Sig count: 1
175.205.5.44 DL: 2, Packets: 1, Sig count: 1

[+] Top 20 scanned ports:
tcp 23 396 packets
tcp 5358 78 packets
tcp 7547 44 packets
tcp 80 34 packets
tcp 22 31 packets
tcp 2323 21 packets
tcp 443 16 packets
tcp 35356 15 packets
tcp 3389 13 packets
tcp 3306 7 packets
tcp 8080 7 packets
tcp 1433 6 packets
tcp 10137 6 packets
tcp 8009 4 packets
tcp 3128 4 packets
tcp 2222 4 packets
tcp 21 3 packets
tcp 26197 3 packets
tcp 10706 3 packets
tcp 27017 3 packets

  udp 56699 119 packets
  udp 51098 108 packets
  udp 51097 59 packets
  udp 56698 44 packets
  udp 5060  35 packets
  udp 60329 32 packets
  udp 50674 19 packets
  udp 1900  13 packets
  udp 16403 12 packets
  udp 443   5 packets
  udp 80    5 packets
  udp 35356 5 packets
  udp 123   4 packets
  udp 161   3 packets
  udp 53    3 packets
  udp 58337 2 packets
  udp 54504 2 packets
  udp 60545 2 packets
  udp 5071  1 packets
  udp 53413 1 packets

[+] iptables log prefix counters:
"DROP PKT": 55740
"INVALID PKT": 1306

[+] psad v2.4.4

[+] /var/log/psad/install.log exists.

[+] Dumping psad config from: /etc/psad/psad.conf

AIM_SERVERS                (removed)
ALERTING_METHODS           noemail
ALERT_ALL                  Y
ANALYSIS_MODE_DIR          /var/log/psad/ipt_analysis
ANALYSIS_OUTPUT_FILE       /var/log/psad/analysis.out
AUTO_BLOCK_DL1_TIMEOUT     3600
AUTO_BLOCK_DL2_TIMEOUT     3600
AUTO_BLOCK_DL3_TIMEOUT     3600
AUTO_BLOCK_DL4_TIMEOUT     3600
AUTO_BLOCK_DL5_TIMEOUT     0
AUTO_BLOCK_IPT_FILE        /var/log/psad/auto_blocked_iptables
AUTO_BLOCK_REGEX           ESTAB
AUTO_BLOCK_TCPWR_FILE      /var/log/psad/auto_blocked_tcpwr
AUTO_BLOCK_TIMEOUT         3600
AUTO_DETECT_JOURNALCTL     N
AUTO_DL_FILE               /etc/psad/auto_dl
AUTO_IDS_DANGER_LEVEL      5
AUTO_IPT_SOCK              /var/run/psad/auto_ipt.sock
CHECK_INTERVAL             5
CONF_ARCHIVE_DIR           /etc/psad/archive
CUSTOM_SYSLOG_TS_RE        ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:
DANGER_LEVEL1              5
DANGER_LEVEL2              15
DANGER_LEVEL3              150
DANGER_LEVEL4              1500
DANGER_LEVEL5              10000
DISK_CHECK_INTERVAL        300
DISK_MAX_PERCENTAGE        95
DISK_MAX_RM_RETRIES        10
DNS_LOOKUP_THRESHOLD       20
DNS_SERVERS                (removed)
DSHIELD_ALERT_EMAIL        [email protected]
DSHIELD_ALERT_INTERVAL     6
DSHIELD_COUNTER_FILE       /var/log/psad/dshield_ctr
DSHIELD_DL_THRESHOLD       0
DSHIELD_EMAIL_FILE         /var/log/psad/dshield.email
DSHIELD_USER_EMAIL         (removed)
DSHIELD_USER_ID            (removed)
EMAIL_ADDRESSES            (removed)
EMAIL_ALERT_DANGER_LEVEL   1
EMAIL_LIMIT                0
EMAIL_LIMIT_STATUS_MSG     Y
EMAIL_THROTTLE             0
ENABLE_AUTO_IDS            N
ENABLE_AUTO_IDS_EMAILS     Y
ENABLE_AUTO_IDS_REGEX      N
ENABLE_CUSTOM_SYSLOG_TS_RE N
ENABLE_DNS_LOOKUPS         Y
ENABLE_DSHIELD_ALERTS      N
ENABLE_EMAIL_LIMIT_PER_DST N
ENABLE_EXT_BLOCK_SCRIPT_EXEC N
ENABLE_EXT_SCRIPT_EXEC     N
ENABLE_FW_LOGGING_CHECK    Y
ENABLE_FW_MSG_READ_CMD     N
ENABLE_INTF_LOCAL_NETS     Y
ENABLE_IPV6_DETECTION      N
ENABLE_MAC_ADDR_REPORTING  N
ENABLE_PERSISTENCE         Y
ENABLE_PSADWATCHD          N
ENABLE_RENEW_BLOCK_EMAILS  N
ENABLE_SCAN_ARCHIVE        N
ENABLE_SIG_MSG_SYSLOG      Y
ENABLE_SNORT_SIG_STRICT    Y
ENABLE_SYSLOG_FILE         Y
ENABLE_WHOIS_FORCE_ASCII   N
ENABLE_WHOIS_FORCE_SRC_IP  N
ENABLE_WHOIS_LOOKUPS       Y
ETC_HOSTS_DENY_FILE        /etc/hosts.deny
ETC_METALOG_CONF           /etc/metalog/metalog.conf
ETC_RSYSLOG_CONF           /etc/rsyslog.conf
ETC_SYSLOGNG_CONF          /etc/syslog-ng/syslog-ng.conf
ETC_SYSLOG_CONF            /etc/syslog.conf
EXEC_EXT_SCRIPT_PER_ALERT  N
EXPECT_TCP_OPTIONS         Y
EXTERNAL_BLOCK_SCRIPT      /bin/true
EXTERNAL_NET               (removed)
EXTERNAL_SCRIPT            /bin/true
FLUSH_IPT_AT_INIT          Y
FWSNORT_RULES_DIR          /etc/fwsnort/snort_rules
FW_CHECK_FILE              /var/log/psad/fw_check
FW_DATA_FILE               /var/log/psad/fwdata
FW_ERROR_LOG               /var/log/psad/errs/fwerrorlog
FW_MSG_READ_CMD            /bin/journalctl
FW_MSG_READ_CMD_ARGS       -f -k
FW_MSG_READ_MIN_PKTS       30
FW_MSG_SEARCH              PKT
FW_SEARCH_ALL              Y
HOME_NET                   (removed)
HOSTNAME                   (removed)
HTTP_PORTS                 80
HTTP_SERVERS               (removed)
ICMP6_TYPES_FILE           /etc/psad/icmp6_types
ICMP_TYPES_FILE            /etc/psad/icmp_types
IFCFGTYPE                  ifconfig
IGNORE_CONNTRACK_BUG_PKTS  Y
IGNORE_INTERFACES          eth1.100
IGNORE_KERNEL_TIMESTAMP    Y
IGNORE_LOG_PREFIXES        NONE
IGNORE_PORTS               NONE
IGNORE_PROTOCOLS           NONE
IMPORT_OLD_SCANS           N
INSTALL_LOG_FILE           /var/log/psad/install.log
INSTALL_ROOT               /
IPTABLES_BLOCK_METHOD      Y
IPTABLES_PREREQ_CHECK      1
IPT_AUTO_CHAIN1            DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1
IPT_AUTO_CHAIN2            DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1
IPT_AUTO_CHAIN3            DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1
IPT_ERROR_PATTERN          psad_ipterr.XXXXXX
IPT_OUTPUT_PATTERN         psad_iptout.XXXXXX
IPT_PREFIX_COUNTER_FILE    /var/log/psad/ipt_prefix_ctr
IPT_SYSLOG_FILE            /var/log/messages
IPT_WRITE_FWDATA           Y
IP_OPTS_FILE               /etc/psad/ip_options
KMSGSD_PID_FILE            /var/run/psad/kmsgsd.pid
MAIL_ALERT_PREFIX          [psad-alert]
MAIL_ERROR_PREFIX          [psad-error]
MAIL_FATAL_PREFIX          [psad-fatal]
MAIL_STATUS_PREFIX         [psad-status]
MAX_HOPS                   20
MAX_SCAN_IP_PAIRS          0
MIN_ARCHIVE_DANGER_LEVEL   1
MIN_DANGER_LEVEL           1
ORACLE_PORTS               1521
P0F_FILE                   /etc/psad/pf.os
PACKET_COUNTER_FILE        /var/log/psad/packet_ctr
PERSISTENCE_CTR_THRESHOLD  5
PORT_RANGE_SCAN_THRESHOLD  1
POSF_FILE                  /etc/psad/posf
PRINT_SCAN_HASH            /var/log/psad/scan_hash
PROC_FORWARD_FILE          /proc/sys/net/ipv4/ip_forward
PROTOCOLS_FILE             /etc/psad/protocols
PROTOCOL_SCAN_THRESHOLD    5
PSADWATCHD_CHECK_INTERVAL  5
PSADWATCHD_MAX_RETRIES     10
PSADWATCHD_PID_FILE        /var/run/psad/psadwatchd.pid
PSAD_CMDLINE_FILE          /var/run/psad/psad.cmd
PSAD_CONF_DIR              /etc/psad
PSAD_DIR                   /var/log/psad
PSAD_ERR_DIR               /var/log/psad/errs
PSAD_FIFO_DIR              /var/lib/psad
PSAD_FIFO_FILE             /var/lib/psad/psadfifo
PSAD_FW_READ_PID_FILE      /var/run/psad/psad_fw_read.pid
PSAD_LIBS_DIR              /usr/lib/psad
PSAD_PID_FILE              /var/run/psad/psad.pid
PSAD_RUN_DIR               /var/run/psad
SCAN_DATA_ARCHIVE_DIR      /var/log/psad/scan_archive
SCAN_TIMEOUT               3600
SHELLCODE_PORTS            !80
SHOW_ALL_SIGNATURES        Y
SIGS_FILE                  /etc/psad/signatures
SIG_MSG_SYSLOG_THRESHOLD   10
SIG_SID_SYSLOG_THRESHOLD   10
SIG_UPDATE_URL             http://www.cipherdyne.org/psad/signatures
SMTP_SERVERS               (removed)
SNORT_RULES_DIR            /etc/psad/snort_rules
SNORT_RULE_DL_FILE         /etc/psad/snort_rule_dl
SNORT_SID_STR              SID
SQL_SERVERS                (removed)
STATUS_IP_THRESHOLD        25
STATUS_OUTPUT_FILE         /var/log/psad/status.out
STATUS_PORTS_THRESHOLD     20
STATUS_SIGS_THRESHOLD      50
SYSLOG_DAEMON              syslogd
SYSLOG_FACILITY            LOG_LOCAL7
SYSLOG_IDENTITY            psad
SYSLOG_PRIORITY            LOG_INFO
TCPWRAPPERS_BLOCK_METHOD   N
TELNET_SERVERS             (removed)
TOP_ATTACKERS_FILE         /var/log/psad/top_attackers
TOP_IP_LOG_THRESHOLD       500
TOP_PORTS_LOG_THRESHOLD    500
TOP_SCANNED_PORTS_FILE     /var/log/psad/top_ports
TOP_SCANS_CTR_THRESHOLD    1
TOP_SIGS_FILE              /var/log/psad/top_sigs
TOP_SIGS_LOG_THRESHOLD     500
TRUNCATE_FWDATA            Y
ULOG_DATA_FILE             /var/log/psad/ulogd.log
USE_FW_MSG_READ_CMD_ARGS   Y
WHOIS_LOOKUP_THRESHOLD     20
WHOIS_TIMEOUT              60

[+] Command paths:

[+] df /bin/df
[+] fwcheck_psad /usr/sbin/fwcheck_psad
[+] gzip /bin/gzip
[+] ifconfig /sbin/ifconfig
[+] ip /sbin/ip
[+] ip6tables /sbin/ip6tables
[+] iptables /sbin/iptables
[+] killall /usr/bin/killall
[+] kmsgsd /usr/sbin/kmsgsd
[+] mail /bin/mail
[+] mknod /bin/mknod
[+] netstat /bin/netstat
[+] ps /bin/ps
[+] psad /usr/sbin/psad
[+] psadwatchd /usr/sbin/psadwatchd
[+] sendmail /usr/sbin/sendmail
[+] sh /bin/sh
[+] uname /bin/uname
[+] wget /usr/bin/wget
[+] whois /usr/bin/whois_psad

Tim Kramer reported that the current psad init script that gets installed on RHEL 6 was causing multiple instances of psadwatchd to be started. This is likely because of an incompatibility with the current psad init scripts which are not compatible with the upstart daemon.

psad blocking & emails are fine - I see this trying to run a summary with psad -A:

Host = Alpine Linux
perl 5, version 22, subversion 2 (v5.22.2) built for x86_64-linux-thread-multi
perl-bit-vector = 7.4
perl-date-calc = 6.4
perl-iptables-chainmgr = 1.5
perl-iptables-parse = 1.6.1
perl-net-ipv4addr = 0.10
perl-unix-syslog = 1.1

root@WEB1 [~]# psad -A
[+] Removing old /var/log/psad/ipt_analysis directory.
[+] Entering analysis mode.  Parsing /var/log/messages
[+] Found 672 iptables log messages out of 932 total lines.
[+] Processed 61 packets...
[+] Processed 122 packets...
[+] Processed 183 packets...
[+] Processed 244 packets...
[+] Processed 305 packets...
[+] Processed 366 packets...
[+] Processed 427 packets...
[+] Processed 488 packets...
[+] Processed 549 packets...
[+] Processed 610 packets...
[+] Processed 671 packets...
[+] Assigning scan danger levels...
    Level 1: 0 IP addresses
    Level 2: 6 IP addresses
    Level 3: 0 IP addresses
    Level 4: 0 IP addresses
    Level 5: 0 IP addresses

    Tracking 6 total IP addresses
Use of uninitialized value in subroutine entry at /usr/lib/perl5/vendor_perl/NetAddr/IP/Lite.pm line 1355.
Bad arg length for NetAddr::IP::Util::hasbits, length is 0, should be 128 at /usr/lib/perl5/vendor_perl/NetAddr/IP/Lite.pm line 1355.

This is probably related to the 4.1 kernel in Alpine Linux 3.3:

can't call method "network" on an undefined value at /usr/sbin/psad line 3746

setting in /etc/psad/psad.conf:

ENABLE_INTF_LOCAL_NETS N;

fixes the error & psad starts.

I also noticed from psad -A:

Use of uninitialized value in subroutine entry at /usr/lib/perl5/vendor_perl/NetAddr/IP/Lite.pm line 1355.
Bad arg length for NetAddr::IP::Util::hasbits, length is 0, should be 128 at /usr/lib/perl5/vendor_perl/NetAddr/IP/Lite.pm line 1355.

root@alpine [~]# uname -a
Linux alpine 4.1.15-1-grsec #2-Alpine SMP Tue Dec 29 04:01:15 GMT 2015 x86_64 GNU/Linux
root@alpine [~]# perl -v

This is perl 5, version 22, subversion 1 (v5.22.1) built for x86_64-linux-thread-multi

This is what I understand the code ( psad-2.4.4 ) to be doing:

%snort_class_dl is initialized in sub import_snort_class_priorities(), by reading 'SNORT_RULES_DIR/classification.config' and is used only in sub import_signatures() to "assign the danger level from the classification.config file if the psad_dl field does not exist" to rules in the 'PSAD_CONF_DIR/signatures' file.

For the fwsnort rules in 'SNORT_RULES_DIR/*.rules' files, such an assignment of danger levels, based on the 'SNORT_RULES_DIR/classification.config' file, does not happen. Instead, to set the danger levels for these fwsnort rules one has to add a line for each of them in the 'PSAD_CONF_DIR/snort_rule_dl' file. If that is not done, the psad code uses a default danger level of 2.

My question is if this is by design and I am supposed to configure psad in a different way ( i.e. perhaps there is a way to automatically create the 'PSAD_CONF_DIR/snort_rule_dl' file from my 'SNORT_RULES_DIR/*.rules' files ) or if it would be better to patch psad to automatically assign danger levels to all fwsnort rules used, based on the contents of 'SNORT_RULES_DIR/classification.config' and use 'PSAD_CONF_DIR/snort_rule_dl' just for finetuning.

I include the following diff for enabling the later in psad-2.4.4, to illustrate the point:

--- psad-2.4.4	2017-03-18 12:55:03.519344682 +0000
+++ psad	2017-03-27 09:20:52.444063104 +0000
@@ -4017,6 +4017,10 @@
 
     %fwsnort_sigs = ();
 
+    # Test patch
+    ### import the Snort classification.config file
+    &import_snort_class_priorities();
+
     for my $dir ($config{'SNORT_RULES_DIR'},
             $config{'FWSNORT_RULES_DIR'}) {
         next unless -d $dir;
@@ -4055,6 +4059,10 @@
 
                 if (/[\s;]classtype:\s*(.*?)\s*;/) {
                     $fwsnort_sigs{$sid}{'classtype'} = $1;
+                    # Test patch
+                    if (defined $snort_class_dl{$1} ) {
+                        $snort_rule_dl{$sid} = $snort_class_dl{$1};
+                    }
                 } else {
                     $fwsnort_sigs{$sid}{'classtype'} = '';
                 }
@@ -4086,9 +4094,6 @@
         }
     }
 
-    ### import the Snort classification.config file
-    &import_snort_class_priorities();
-
     ### import the reference.config file
     &import_snort_reference_config();
 
@@ -4158,7 +4163,8 @@
 
 sub import_snort_rule_dl() {
 
-    %snort_rule_dl = ();
+    # Test patch
+    #%snort_rule_dl = ();
 
     ### parse the snort_rule_dl file
     return unless -e $config{'SNORT_RULE_DL_FILE'};
@@ -4172,7 +4178,15 @@
             unless ($dl >= 0 and $dl < 6) {
                 next;
             }
-            $snort_rule_dl{$sid} = $dl;
+            # Test patch
+            if ( defined $snort_rule_dl{$sid} ) { 
+                if ( $snort_rule_dl{$sid} lt $dl ) {
+                    $snort_rule_dl{$sid} = $dl;
+                }
+            } else {
+                $snort_rule_dl{$sid} = $dl;
+            }
+            #$snort_rule_dl{$sid} = $dl;
         }
     }
     close F;

PS: line numbers may be slightly off because we have a few more lines of patching to enable psad to work with shorewall.

I have tried to install psad-2.4.1 and afterwards the latest version (master). Both installs failed with the following warnings (see below):

[+] Removing /usr/lib/psad/ directory from previous psad installation.
[+] Creating /usr/lib/psad
[+] mkdir /usr/lib/psad, 755
[+] Compiling Marco d'Itri's whois client
[+] CMD: '/usr/bin/make -C deps/whois'
make: Entering directory /root/psad-master/deps/whois' cc -g -O2 -MM -MG *.c > Makefile.depend make: Leaving directory/root/psad-master/deps/whois'
make: Entering directory /root/psad-master/deps/whois' cc -g -O2 -c whois.c cc -g -O2 -c utils.c cc -o whois whois.o utils.o cc -g -O2 -c mkpasswd.c cc -o mkpasswd mkpasswd.o utils.o -lcrypt make: Leaving directory/root/psad-master/deps/whois'
[+] Copying whois binary to /usr/bin/whois_psad

[+] Installing the Unix::Syslog 1.1 perl module in /usr/lib/psad/
[+] CMD: '/usr/bin/perl Makefile.PL PREFIX=/usr/lib/psad LIB=/usr/lib/psad'
Checking if your kit is complete...
Warning: the following files are missing in your kit:
META.yml
Please inform the author.
Writing Makefile for Unix::Syslog
[+] CMD: '/usr/bin/make'
cp Syslog.pm blib/lib/Unix/Syslog.pm
/usr/bin/perl /usr/share/perl5/ExtUtils/xsubpp -typemap /usr/share/perl5/ExtUtils/typemap Syslog.xs > Syslog.xsc && mv Syslog.xsc Syslog.c
gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DVERSION="1.1" -DXS_VERSION="1.1" -fPIC "-I/usr/lib64/perl5/CORE" Syslog.c
Syslog.c: In function 'XS_Unix__Syslog_priorityname':
Syslog.c:432: warning: unused variable 'targ'
Syslog.c:431: warning: unused variable 'RETVAL'
Syslog.c:430: warning: unused variable 'p'
Syslog.c: In function 'XS_Unix__Syslog_facilityname':
Syslog.c:454: warning: unused variable 'targ'
Syslog.c:453: warning: unused variable 'RETVAL'
Syslog.c:452: warning: unused variable 'f'
Syslog.c: In function 'XS_Unix__Syslog_setlogmask':
Syslog.c:570: warning: unused variable 'targ'
Syslog.c:569: warning: unused variable 'RETVAL'

Is it possible to change PSAD's email notification banners to a more friendly Body, Subject and From fields ? Sometimes the client needs a bit more in the Subject and From field to know what it is.

The following bug report was sent to the psad mailing list from "3Turtles":

My Ubuntu servers are all currently suffering from zombie processes. I
narrowed down the culprit to PSAD (sh 's parent is psad).

In my psad.conf file i have the noemail configured, but emails are still
trying to send out and they are failing (i did this on purpose so my
email doesnt get spammed to death) and being sent to my root mail instead.

Any idea how i can solve this? After a few hours i have around 35
zombie processes.

Hello
I would like to report a bug in Debian 7 that appears when I restart the psad. When I disable (N) the "FLUSH_IPT_AT_INIT" is displayed:

Use of uninitialized value $ dl in numeric eq (==) at / usr / sbin / psad line 6914.
Use of uninitialized value $ dl in numeric eq (==) at / usr / sbin / psad line 6916.
Use of uninitialized value $ dl in numeric eq (==) at / usr / sbin / psad line 6918.

If configured as enabled (Y), the error is not displayed.

I'm using version 2.2.1 of PSAD.

Regards

This was reported in Fedora bug tracker (https://bugzilla.redhat.com/show_bug.cgi?id=1394902).

Description of problem:
Setting psad on my system shows error in /var/log/psad/fw_check because I have firewalld installed but not running. I set my firewall with /etc/sysconfig/iptables and using iptables.service

Version-Release number of selected component (if applicable):

psad-2.4.3-3.fc24.x86_64
perl-IPTables-Parse-1.6.1-2.fc24.noarch
perl-IPTables-ChainMgr-1.5-2.fc24.noarch
firewalld-0.4.4.1-1.fc24.noarch

How reproducible:
Always

Steps to Reproduce:

1. Have firewalld installed but not running systemctl stop firewalld.service
2. Adjust config in /etc/psad/psad.conf if necessary
3. Add -j LOG entries to INPUT and FORWARD iptables chains
4. run: fwcheck_psad
5. check result in root email and or in /var/log/psad/fw_check

Actual results:
I get an error saying there is no default logging rule.

Expected results:
That the ruleset is present and the firewall config is a success.

Additional info:
As a work around, I renamed the firewall-cmd executable:

mv /usr/bin/firewall-cmd /usr/bin/firewall-cmd.orig

After that, fwcheck_psad now works.

The problem is that the fwcheck_psad script and perl-IPTables-Parse only check for the presence of firewall-cmd, not to see if it actually works (the firewalld service is running). Therefore it fails.

whois.c:1159]: (style) Checking if unsigned variable 'a' is less than zero.

Source code is

a = strtol(s, &endptr, 10);
if (errno || a < 0 || a > 255 || *endptr != '.')

whois.c:1164]: (style) Checking if unsigned variable 'b' is less than zero.

whois.c:1169]: (style) Checking if unsigned variable 'c' is less than zero.

Duplicates.

Wolfgang Breyha reported that IGNORE_INTERFACES doesn't allow VLAN interface or interface aliases like "eth1.2" and submitted a patch. This will be fixed in psad-2.2.2.

This is under Alpine Linux (without systemd / firewalld / journald)

The daemon starts ok but running psad -L shows:

[+] Listing chains from IPT_AUTO_CHAIN keywords...

Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 6701.
[*]  -t filter -n -L PSAD_BLOCK_INPUT -v does not look like an iptables command. at /usr/sbin/psad line 6701.

Using version 2.2.5 with the same psad.conf works ok

I have the iptables binary set correctly in psad.conf but it doesn't seem to be picked up:

### system binaries
iptablesCmd      /sbin/iptables;

The quickest way to check this is probably with an Alpine LXC container

Under Alpine Linux / Busybox (without systemd / journalctl) in psad 2.4.3 I see:

root@alpine [/etc/psad]# psad -S
[+] psadwatchd (pid: 20208)
[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on ..............
[+] psad (pid: 20206)
root@alpine [/etc/psad]# ls /var/run/psad
.  ..  auto_ipt.sock  psad.cmd  psad.pid  psadwatchd.pid

psad -K & psad -R both work but also complain that psad_fw_read.pid does not exist.

I can see ip's are still blocked & system stats can still be viewed with psad -A. These warning messages seem to be false positives on systems without systemd.

From Steve Murphy to the psad mailing list:

I'm writing a network app to mimic the OSSEC
active response feature across multiple hosts,
but without the OSSEC machinery behind it, and
without the per-agent registration.

At any rate, it would be nice if I could execute
an external script from psad, when a block is
inserted in iptables. And it would be nice if the
script were run ONLY when a block was added.

I see the config directives:

ENABLE_EXT_SCRIPT_EXEC
EXTERNAL_SCRIPT
EXEC_EXT_SCRIPT_PER_ALERT

and I see that EXTERNAL_SCRIPT replaces SRCIP in the
command string. Too bad DANGERLEVEL isn't also substituted.
There might even be a few more that might be nice to have...

I also see that I get psad-status emails when an IP is banned;
psad-alert messages can come out several times before being banned...

What would you advise me to do, to get the effect I seek from psad? One execution of the external script only when an IP is entered into iptables...

In Alpine Linux with ENABLE_WHOIS_LOOKUPS Y; whois alarms are causing OpenRC to reboot:

root@kvm-wall [~]# tail /var/log/psad/errs/*

==> /var/log/psad/errs/psad.die <==
Mon Jun 29 17:08:31 2015 psad v2.4.1 pid: 1966 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 5.
Mon Jun 29 17:46:58 2015 psad v2.4.1 pid: 1807 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 14.
Mon Jun 29 20:56:31 2015 psad v2.4.1 pid: 3004 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 13.
Mon Jun 29 23:54:07 2015 psad v2.4.1 pid: 3118 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 1.

==> /var/log/psad/errs/psad.warn <==
Mon Jun 29 17:08:31 2015 psad v2.4.1 pid: 1966 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 5.
Mon Jun 29 17:46:58 2015 psad v2.4.1 pid: 1807 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 14.
Mon Jun 29 20:56:31 2015 psad v2.4.1 pid: 3004 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 13.
Mon Jun 29 23:54:07 2015 psad v2.4.1 pid: 3118 whois alarm at /usr/sbin/psad line 7382, <$fwdata_fh> line 1.

root@kvm-wall [~]# grep -B 1 "kern.notice kernel: klogd: exiting" /var/log/messages
Jun 29 17:08:31 kvm-wall daemon.info init: starting pid 2063, tty '': '/sbin/rc shutdown'
Jun 29 17:08:31 kvm-wall kern.notice kernel: klogd: exiting
--
Jun 29 17:46:58 kvm-wall daemon.info init: starting pid 1863, tty '': '/sbin/rc shutdown'
Jun 29 17:46:58 kvm-wall kern.notice kernel: klogd: exiting
--
Jun 29 20:56:31 kvm-wall daemon.info init: starting pid 3052, tty '': '/sbin/rc shutdown'
Jun 29 20:56:31 kvm-wall kern.notice kernel: klogd: exiting
--
Jun 29 23:54:07 kvm-wall daemon.info init: starting pid 3189, tty '': '/sbin/rc shutdown'
Jun 29 23:54:07 kvm-wall kern.notice kernel: klogd: exiting

The BusyBox whois options are as follows:

root@kvm-wall [~]# whois --help
BusyBox v1.23.2 (2015-04-24 16:34:36 GMT) multi-call binary.

Usage: whois [-h SERVER] [-p PORT] NAME...

Query WHOIS info about NAME

    -h,-p   Server to query

In the above logs whois lookups were disabled for the 3 hours between 9pm & midnight.

psad --debug :

Linux (removed) 3.18.14-1-grsec #2-Alpine SMP Mon May 25 07:19:17 GMT 2015 i686 Linux

[+] perl info:
[+] run_command(): perl -V
Summary of my perl5 (revision 5 version 20 subversion 2) configuration:

  Platform:
    osname=linux, osvers=3.10.33-0-grsec, archname=i686-linux-thread-multi
    uname='linux build-3-2-x86 3.10.33-0-grsec #1-alpine smp fri mar 7 14:24:31 utc 2014 i686 linux '
    config_args='-des -Dcccdlflags=-fPIC -Dcccdlflags=-fPIC -Dccdlflags=-rdynamic -Dprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/core_perl -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendorarch=/usr/lib/perl5/vendor_perl -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5/site_perl -Dsitearch=/usr/local/lib/perl5/site_perl -Dlocincpth=  -Doptimize=-Os -fomit-frame-pointer -Duselargefiles -Dusethreads -Duseshrplib -Dd_semctl_semun -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dinstallman1dir=/usr/share/man/man1 -Dinstallman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dinc_version_list= -Dcf_by=Alpine -Ud_csh -Dusenm'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-Os -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector'
    ccversion='', gccversion='4.9.2', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/include/fortify /usr/lib /usr/local/lib /lib
    libs=-ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/usr/lib/libc.a, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic -Wl,-rpath,/usr/lib/perl5/core_perl/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -Os -fomit-frame-pointer -L/usr/local/lib -fstack-protector'

Characteristics of this binary (from libperl): 
  Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
                        PERL_DONT_CREATE_GVSV
                        PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
                        PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
                        PERL_NEW_COPY_ON_WRITE PERL_PRESERVE_IVUV
                        USE_ITHREADS USE_LARGE_FILES USE_LOCALE
                        USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API

Is there any other information I can provide to help solve this issue ?

PSAD still depends on the netstat command (from net-tools) and should support using ss (from iproute2) when net-tools is not installed.

net-tools are obsolete since 2009 and applications should switch to iproute2. Major distributions are using iproute2 and some, including RHEL7 don't install net-tools by default anymore. See also this LWN article.

Some headway has been made towards detecting scans and Snort signature matches that are delivered over IPv6 (and logged via ip6tables), but there is work left to do.

I have noemail set in alerting method because i only want syslog messages. Psad dont write syslog messages if noemail is set. If i leave it to default ALL it writes syslog messages again.

All auto-blocking operations in psad should support ipset on Linux systems.

Recently I ran into a rather interesting problem:
I can't seem to be able to flush the blocked IP, if I issue psad -F, the chains quickly gets flushed, however the blocked IPs immediately become blocked again. However if I were to remove status.out, then flush, the chains gets flushed and it stays clean.

I am on the latest commit of psad, and my system is:

─ »»» sudo psad -V
[+] psad v2.4.1 by Michael Rash [email protected]

─ »»» uname -a
Linux Hao 4.0.0-pf5-hao #2 SMP Sun Jun 7 00:39:15 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

─ »»» lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch
Distributor ID: Ubuntu
Description: Ubuntu Wily Werewolf (development branch)
Release: 15.10
Codename: wily