To have a look at the inner workings of psad as it monitors iptables log messages, run psad in a highly verbose mode with the --debug switch:
[iptablesfw]# psad --debug
This instructs psad to not become a daemon; it can then display information on STDERR as it runs. This information includes everything from MAC addresses to passive OS fingerprinting information. Here's a sample of this output:
© Jul 11 16:21:31 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:13:d3:38:b6:e4: 00:90:1a:a0:1c:ec:08:00 SRC=12.17.X.X DST=71.157.X.X LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=38577 DF PROTO=TCP SPT=38970 DPT=12754 WINDOW=53760 RES=0x00 SYN URGP=0 OPT (020405B4010303030101080A000000000000000001010402) [+] src mac addr: 00:90:1a:a0:1c:ec [+] dst mac addr: 00:13:d3:38:b6:e4 © [+] valid packet: 12.17.X.X (38970) -> 71.157.X.X (12754) tcp
[+] assign_auto_danger_level() returned: -1 © [+] p0f(): 22.214.171.124 len: 64, frag_bit: 1, ttl: 43, win: 53760
[+] MSS: 1460, NOP, Win Scale: 3, NOP, NOP, Timestamp: 0, NOP, NOP, SACK [+] match_snort_keywords()
[+] packet matched matched tcp keywords for sid: 247 (psad_id: 100011)
"DDOS mstream client to handler" [+] match_snort_keywords() [+] match_snort_keywords()
[+] assign_danger_level(): source IP: 12.17.X.X (dl: 0) © [+] assign_danger_level(): DL (after assignment) = 2 [+] scan_logr(): source IP: 12.17.X.X [+] scan_logr(): dst IP: 71.157.X.X
[+] scan_logr_signatures(): src: 12.17.X.X dst: 71.157.X.X proto: tcp [+] MAIN: number of new packets: 0
At above, the original iptables log message is printed to the screen by psad so that you can see the data source psad analyzes in the remainder of the output. At the valid packet string indicates that the iptables log message is intact and contains all expected header fields (in this case, for a TCP packet). At the passive OS fingerprinting algorithm is executed, and at psad determines that the TCP packet matches the DDOS mstream client to handler signature from the /etc/psad/signatures file. At © psad assigns a danger level of 2 to the source IP address 12.17.X.X because of the Snort signature match, and finally a psad email alert is generated at .
Finally, two additional command-line switches that can help you to get even more information from psad: -D and --fw-dump. The -D option instructs psad to dump its configuration on STDOUT along with the specifics of the version of Perl on the local system, and the --fw-dump option instructs psad to display the current iptables policy.
NOTE psad is careful to not include sensitive information in the -D or --fw-dump output (including email addresses, DShield usernames, IP addresses, and the like), so you can freely email the output to others for comment. This feature is useful for diagnosing tricky problems related to scan and attack detection because it enables people to work against the same configuration.
Was this article helpful?