Good point, here it is, not to much in the way of changes from a default 
config. 


HOME_NET any; 
EXTERNAL_NET any; 
FW_SEARCH_ALL Y; 
FW_MSG_SEARCH DROP; 
SYSLOG_DAEMON syslogd; 
DANGER_LEVEL1 5; ### Number of packets. 
DANGER_LEVEL2 15; 
DANGER_LEVEL3 150; 
DANGER_LEVEL4 1500; 
DANGER_LEVEL5 10000; 
CHECK_INTERVAL 5; 
SNORT_SID_STR SID; 
PORT_RANGE_SCAN_THRESHOLD 20; 
ENABLE_PERSISTENCE Y; 
SCAN_TIMEOUT 3600; ### seconds 
SHOW_ALL_SIGNATURES N; 
ALERTING_METHODS ALL; 
ENABLE_SYSLOG_FILE Y; 
IPT_WRITE_FWDATA N; 
IPT_SYSLOG_FILE /var/log/iptables.log; 
ENABLE_SIG_MSG_SYSLOG Y; 
SIG_MSG_SYSLOG_THRESHOLD 10; 
SIG_SID_SYSLOG_THRESHOLD 10; 
MAX_HOPS 20; 
IGNORE_KERNEL_TIMESTAMP Y; 
IGNORE_CONNTRACK_BUG_PKTS Y; 
IGNORE_PORTS NONE; 
IGNORE_PROTOCOLS NONE; 
IGNORE_INTERFACES NONE; 
IGNORE_LOG_PREFIXES NONE; 
MIN_DANGER_LEVEL 1; 
EMAIL_ALERT_DANGER_LEVEL 3; 
ENABLE_INTF_LOCAL_NETS Y; 
ENABLE_MAC_ADDR_REPORTING N; 
ENABLE_FW_LOGGING_CHECK Y; 
EMAIL_LIMIT 50; 
ENABLE_EMAIL_LIMIT_PER_DST N; 
EMAIL_LIMIT_STATUS_MSG Y; 
ALERT_ALL Y; 
IMPORT_OLD_SCANS N; 
SYSLOG_IDENTITY psad; 
SYSLOG_FACILITY LOG_LOCAL7; 
SYSLOG_PRIORITY LOG_INFO; 
TOP_PORTS_LOG_THRESHOLD 500; 
STATUS_PORTS_THRESHOLD 20; 
TOP_SIGS_LOG_THRESHOLD 500; 
STATUS_SIGS_THRESHOLD 50; 
TOP_IP_LOG_THRESHOLD 500; 
STATUS_IP_THRESHOLD 25; 
TOP_SCANS_CTR_THRESHOLD 1; 
ENABLE_DSHIELD_ALERTS N; 
DSHIELD_ALERT_EMAIL repo...@dshield.org; 
DSHIELD_ALERT_INTERVAL 6; ### hours 
DSHIELD_USER_ID 0; 
DSHIELD_USER_EMAIL NONE; 
DSHIELD_DL_THRESHOLD 0; 
HTTP_SERVERS $HOME_NET; 
SMTP_SERVERS $HOME_NET; 
DNS_SERVERS $HOME_NET; 
SQL_SERVERS $HOME_NET; 
TELNET_SERVERS $HOME_NET; 
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 
64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; 
HTTP_PORTS 80; 
SHELLCODE_PORTS !80; 
ORACLE_PORTS 1521; 
ENABLE_SNORT_SIG_STRICT Y; 
ENABLE_AUTO_IDS N; 
AUTO_IDS_DANGER_LEVEL 5; 
AUTO_BLOCK_TIMEOUT 3600; 
ENABLE_AUTO_IDS_REGEX N; 
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes 
ENABLE_RENEW_BLOCK_EMAILS N; 
ENABLE_AUTO_IDS_EMAILS Y; 
IPTABLES_BLOCK_METHOD Y; 
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; 
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; 
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1; 
FLUSH_IPT_AT_INIT Y; 
IPTABLES_PREREQ_CHECK 1; 
TCPWRAPPERS_BLOCK_METHOD N; 
WHOIS_TIMEOUT 60; ### seconds 
WHOIS_LOOKUP_THRESHOLD 20; 
DNS_LOOKUP_THRESHOLD 20; 
ENABLE_EXT_SCRIPT_EXEC N; 
EXTERNAL_SCRIPT /bin/true; 
EXEC_EXT_SCRIPT_PER_ALERT N; 
DISK_CHECK_INTERVAL 300; ### seconds 
DISK_MAX_PERCENTAGE 95; 
DISK_MAX_RM_RETRIES 10; 
ENABLE_SCAN_ARCHIVE N; 
TRUNCATE_FWDATA Y; 
MIN_ARCHIVE_DANGER_LEVEL 1; 
MAIL_ALERT_PREFIX [psad-alert]; 
MAIL_STATUS_PREFIX [psad-status]; 
MAIL_ERROR_PREFIX [psad-error]; 
MAIL_FATAL_PREFIX [psad-fatal]; 
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures; 
PSADWATCHD_CHECK_INTERVAL 5; ### seconds 
PSADWATCHD_MAX_RETRIES 10; 
PSAD_DIR /var/log/psad; 
PSAD_RUN_DIR /var/run/psad; 
PSAD_FIFO_DIR /var/lib/psad; 
PSAD_LIBS_DIR /usr/lib/psad; 
PSAD_CONF_DIR /etc/psad; 
PSAD_ERR_DIR $PSAD_DIR/errs; 
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive; 
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive; 
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis; 
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules; 
FW_DATA_FILE $PSAD_DIR/fwdata; 
ULOG_DATA_FILE $PSAD_DIR/ulogd.log; 
FW_CHECK_FILE $PSAD_DIR/fw_check; 
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email; 
SIGS_FILE $PSAD_CONF_DIR/signatures; 
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types; 
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl; 
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl; 
POSF_FILE $PSAD_CONF_DIR/posf; 
P0F_FILE $PSAD_CONF_DIR/pf.os; 
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options; 
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo; 
ETC_HOSTS_DENY_FILE /etc/hosts.deny; 
ETC_SYSLOG_CONF /etc/syslog.conf; 
ETC_RSYSLOG_CONF /etc/rsyslog.conf; 
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; 
ETC_METALOG_CONF /etc/metalog/metalog.conf; 
STATUS_OUTPUT_FILE $PSAD_DIR/status.out; 
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out; 
INSTALL_LOG_FILE $PSAD_DIR/install.log; 
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid; 
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd; 
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid; 
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid; 
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables; 
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr; 
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock; 
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog; 
PRINT_SCAN_HASH $PSAD_DIR/scan_hash; 
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; 
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr; 
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports; 
TOP_SIGS_FILE $PSAD_DIR/top_sigs; 
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers; 
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr; 
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr; 
IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout; 
IPT_ERROR_FILE $PSAD_DIR/psad.ipterr; 
iptablesCmd /sbin/iptables; 
shCmd /bin/sh; 
wgetCmd /usr/bin/wget; 
gzipCmd /bin/gzip; 
mknodCmd /bin/mknod; 
psCmd /bin/ps; 
mailCmd /bin/mail; 
sendmailCmd /usr/sbin/sendmail; 
ifconfigCmd /sbin/ifconfig; 
killallCmd /usr/bin/killall; 
netstatCmd /bin/netstat; 
unameCmd /bin/uname; 
whoisCmd /usr/bin/whois_psad; 
dfCmd /bin/df; 
fwcheck_psadCmd /usr/sbin/fwcheck_psad; 
psadwatchdCmd /usr/sbin/psadwatchd; 
kmsgsdCmd /usr/sbin/kmsgsd; 
psadCmd /usr/sbin/psad; 



----- "William Maddler" <n...@maddler.net> wrote: 
> On 04/03/2010 01:56, Rodney McKee wrote: 
> > Ok, this short sample of figures taken at 30 second intervals would 
> > indicate a steady growth in the memory usage. 
> > 
> > metric: proc.memory.size 
> > host: localhost 
> > semantics: instantaneous value 
> > units: Kbyte 
> > samples: all 
> > 
> [...] 
> 
> Knowing what your configuration looks like could help... ;) 
> 
> William 
> 
> > 
> > ----- "Rodney McKee" <rmc...@aconex.com> wrote: 
> >> 
> >> What a detailed email :-( 
> >> 
> >> Just collecting some additional memory stats to see what the rate of 
> > growth is. 
> >> The version of psad is psad-2.1.5-1 
> >> 
> >> 
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> >  
> > Download Intel&#174; Parallel Studio Eval 
> > Try the new software tools for yourself. Speed compiling, find bugs 
> > proactively, and fine-tune applications for parallel performance. 
> > See why Intel Parallel Studio got high marks during beta. 
> > http://p.sf.net/sfu/intel-sw-dev 
> > 
> > 
> > 
> 
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to