I just wanted to report that PSAD was found not running on one of the
servers (a 32-bit version of Linux).
Examining psad -S on another server, produces the following:
[/root] psad -S | more
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for
psadwatchd on
ns3.IT-Security-inc.com
[+] psad (pid: 2677) %CPU: 0.1 %MEM: 0.2
Running since: Sun Sep 28 14:58:16 2014
Command line arguments: [none specified]
Alert email address(es): ad...@abs-comptech.com
[+] Writing 61.160.224.129 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 71.6.135.131 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 61.160.224.130 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 93.174.93.51 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 66.240.192.138 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 113.108.21.16 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 66.240.236.119 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 125.64.35.68 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 66.35.46.198 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 117.21.191.204 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 71.6.165.200 to socket; psad will remove the IP
within 5 seconds.
[+] Writing 202.109.143.35 to socket; psad will remove the IP
within 5 seconds.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6955.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6957.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6959.
Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
6961.
[+] Version: psad v2.2.3
[+] Top 50 signature matches:
"MISC Microsoft SQL Server communication attempt" (tcp), Count:
1864, Un
ique sources: 650, Sid: 100205
"MISC MS Terminal Server communication attempt" (tcp), Count:
1346, Uniq
I might note that the server which had PSAD fail, was experiencing a
HEAVY amount of ntp udp packests. Apparently the shorewall firewall
permitted ntp (udp) packets, and the server was connected as a DDOS
attack previously. If the counter wraps around, what happens to the
program?
Anyway, looking forward to the next update.
Thank you.
--
Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Security Officer*
http://www.IT-Security-inc.com - IT Security, Inc.
Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
Cell: 412-889-6870
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss