Dangerleveln

All malicious activity is associated with a danger level by psad so that alerts can be prioritized. Danger levels range from one to five (with five being the worst) and are assigned to each IP address from which an attack or scan is detected. The danger level values are assigned based on three factors: characteristics of a scan (number of packets, port range, and time interval), whether a specific packet is associated with a signature defined in the /etc/ psad/signatures file, and whether the packet originates from an IP or network listed in the /etc/psad/auto_dl file.

For port scans and corresponding packet counts, the DANGER_LEVEL{/i} variables in the psad.conf file specify the number of packets required to reach each successive danger level:

DANGER

LEVEL1

5;

DANGER

LEVEL2

15;

DANGER

LEVEL3

150;

DANGER

LEVEL4

1500;

DANGER

LEVEL5

10000;

Was this article helpful?

0 0

Post a comment