The /etc/psad/signatures file contains a set of about 200 slightly modified Snort rules. These rules represent attacks that psad is able to detect directly from iptables log messages. None of these rules require application layer tests against network traffic—fwsnort runs application layer tests (see Chapters 9 and 10). An example rule from this file is the following:
alert udp $EXTERNAL_NET any -> $HOME_NET 1026:1029 (msg:"MISC Windows popup spam attempt"; classtype:misc-activity; reference:url,www.linklogger.com/ UDPl026.htm; psad_dsize:>100; psad_id:100196; psad_dl:2;)
The fields in bold above are custom fields added to the Snort rules language by psad. In this case, the psad_dsize field requires the data portion of the UDP packet to be larger than 100 bytes, the psad_id field defines a unique ID for this rule, and the psad_dl field tells psad to assign a danger level of two to any IP address that triggers this signature. A complete discussion of the modifications psad makes to the Snort rules language is provided in Chapter 7.
Was this article helpful?