Many people have old syslog files that contain iptables log data lying around on their systems. By using psad in forensics mode, these old logfiles can be used to inform you of suspicious traffic that took place in the past against your system. This information can become particularly helpful if you are trying to track down a real intrusion and want to see what IP addresses may have been scanning your system around the time of a compromise. To run psad in forensics mode, use the -A command-line switch as shown in bold in Listing 7-2 (some output has been abbreviated):
[iptablesfw]# psad -A
[+] Entering analysis mode. Parsing /var/log/messages [+] Found 8804 iptables log messages out of 10000 total lines. [+] Processed 1600 packets... [+] Processed 8800 packets... [+] Assigning scan danger levels... Level 1: 3 IP addresses Level 2: 214 IP addresses Level 3: 3 IP addresses Level 4: 2 IP addresses Level 5: 0 IP addresses
Tracking 222 total IP addresses
Listing 7-2: psad forensics output
The output in Listing 7-2 includes information to inform you of the total number of iptables log messages psad parsed from the logfile. The output also lists the total number of IP addresses for each of the five danger levels. The remainder of the forensics output (not displayed here, for brevity) is similar to the --Status output from the previous section. This includes verbose information about the top scanned ports, top attackers, signature matches, and more.
By default, when in forensics mode, psad parses iptables log messages out of the /var/log/messages file. You can change this path with the -m command-line argument like so:
NOTE In Chapter 14, we will use psad to analyze and visualize some of the iptables log data from the Honeynet Project (http://www.honeynet. org).
Was this article helpful?