Psad Operations Detecting Suspicious Traffic

In this chapter we'll concentrate on the analysis of iptables logs that are generated without the use of the iptables string match extension. We'll focus our energies on the detection of malicious network traffic by examining network and transport layer headers instead of looking at the application layer. In Chapter 11, we'll make heavy use of the string match extension to move us into the realm of detecting application layer attacks, but for now we will showcase—by parsing iptables log messages—how psad can detect port scans, probes for backdoors, and other suspicious traffic.

This chapter is designed to introduce you to operational aspects of psad, including attack detection and alerting. More advanced topics, such as signature detection, operating system fingerprinting, and DShield reporting are covered in Chapter 7, and the usage of psad as an active response tool is covered in Chapters 8 and 11. We begin by showing a selection of attacks and suspicious traffic that psad can detect just by monitoring iptables log messages.

Port Scan Detection with psad

Although many attacks today have moved into the application layer, a significant number of suspicious activities still manifest themselves at the transport layer and below.

Any complete implementation of the TCP/IP suite is a large and complicated batch of code, and this complexity makes it an attractive target for everything from reconnaissance efforts to Denial of Service attacks. This section will illustrate several attacks and probes against the iptablesfw Linux system and will reference the network diagram in Figure 1-2 (duplicated below as Figure 6-1). This time, psad is also deployed on the iptablesfw system along with the default policy built by the script discussed in Chapter 1, which is available at All attacks discussed in this section are sent against the iptablesfw system with the iptables policy active in the kernel. The default log stance of this policy is all that psad requires in order to detect suspicious activity; no additional iptables features (such as string matching) are required.

Figure 6-1: Default network diagram

Port scans are an important technique for interrogating remote targets, and psad was developed primarily with the goal of providing advanced port scan detection for Linux systems. The first order of business in this section is to illustrate various types of port scans and see how they appear in your iptables logs.

As in Chapter 3, we again use Nmap to port scan a system. This time, however, the scan target is running psad so that the iptables logs can be analyzed. We will use Nmap to generate the following types of port scans, and then we'll see how psad can detect them:

• TCP connect() scan • TCP FIN, XMAS, and NULL scans

NOTE See Chapter 3 for technical descriptions of these scanning techniques.

Each scan is launched from the ext_scanner system as shown in Figure 6-1 against the external 71.157.XX IP address of the iptables firewall. Before sending the first scan, we make sure that psad is running on the iptables firewall with the default DANGER_LEVEL{n} settings in the /etc/psad/psad.conf file:

[iptablesfw]# /etc/psad/init.d/psad start Starting psad ... [ ok ]


For most of the scan examples in this section, the Nmap timing options (such as -T and --max-rtt-timeout) can affect how fast Nmap is able to scan the target. Because iptables severely restricts the responses that the local stack can send to each scan probe, you can limit the amount of time Nmap waits for responses that will never come. For example, when Nmap sends a SYN packet to port 5000, iptables drops it, and so the SYN/ACK or RST/ACK expected by Nmap is never sent by the targeted stack. By shortening the time Nmap waits for this response (with the --max-rtt-timeout option), we can reduce the overall time needed to scan the system. (One way to determine a good upper bound on the --max-rtt-timeout value is to use the ping utility to measure the round-trip time to the target before starting a scan.)

Was this article helpful?

0 0

Post a comment