The most interesting section of the psad alert for the WEB-PHP Setup.php access attack begins at © above. This section indicates that psad noticed the string  SID2281 ESTAB and has mapped it to the appropriate Snort rule. Because psad maintains an in-memory notion of all Snort rule class types, message fields, and content strings, it deduces that the offending packet corresponds to the WEB-PHP Setup.php access rule in the web-application-activity class and must have contained the string /Setup.php.
NOTE By itself, iptables has no mechanism via the LOG target for reporting the actual content of a packet, and as noted in Chapter 10, it is not generally feasible to simply put content strings within the log prefix due to the 29-character limit on prefix string length. It is also not a good idea to include binary packet data within syslog messages.
Was this article helpful?