Scribd
Upload
2K views3 pages

Psad Installation and Configuration

This document provides instructions for installing and configuring Psad and Fwsnort intrusion detection systems on a Linux system. It describes downloading and installing Psad and Fwsnort using RPM packages, editing configuration files, enabling automatic signature and firewall rule updates via cronjobs, and testing the systems. The document also explains how to whitelist IP addresses and configure special danger levels to allow security scans from authorized hosts like Nmap/Nessus servers.

Uploaded by

Sharjeel Sayed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views3 pages

Psad Installation and Configuration

This document provides instructions for installing and configuring Psad and Fwsnort intrusion detection systems on a Linux system. It describes downloading and installing Psad and Fwsnort using RPM packages, editing configuration files, enabling automatic signature and firewall rule updates via cronjobs, and testing the systems. The document also explains how to whitelist IP addresses and configure special danger levels to allow security scans from authorized hosts like Nmap/Nessus servers.

Uploaded by

Sharjeel Sayed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Psad installation and configuration

Reference: http://www.cipherdyne.org/psad/

# Download the latest version of psad from


http://www.cipherdyne.org/psad/download/

cd /tmp

wget http://www.cipherdyne.org/psad/download/psad-2.1-1.i386.rpm

rpm -Uvh psad-2.1-1.i386.rpm


rm -rf psad-2.1-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf

# Adjust the values as shown

######
EMAIL_ADDRESSES [email protected], [email protected];
HOSTNAME vend-x.com;
# If there is only one network interface on the box, then just set this variable
to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######

Automate Signature Updates

crontab -e

###
0 0 * * * /usr/sbin/psad -sig-update && /sbin/service psad restart
###

# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail


poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail

/etc/rc.d/init.d/psad start

/usr/sbin/psad -sig-update

/sbin/chkconfig psad on

# Check psad statistics after 5-10 mins by running this command

/usr/sbin/psad --Status

# Setup Cronjob to delete Psad scan archive older than 7 days


crontab -e

0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf

# Fwsnort Installation

Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/

cd /tmp

wget http://www.cipherdyne.com/fwsnort/download/fwsnort-1.0.4.tar.gz

tar zxvf fwsnort-1.0.4.tar.gz

cd /tmp/fwsnort-1.0.4

perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig

vi /etc/fwsnort/fwsnort.conf

######
# Modify the uname location as follows
unameCmd /bin/uname;
######

/usr/sbin/fwsnort --no-ipt-sync --verbose

# Check log file for errors and correct accordingly


tail -f /var/log/fwsnort.log

#If you encounter the following errors


###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.

# then run this

# Update signatures
/usr/sbin/fwsnort --update-rules

#Then run this


/usr/sbin/fwsnort --no-ipt-test --verbose

# Run the generated Netfilter script

/etc/fwsnort/fwsnort.sh

# Enable auto-update of firewall rules


crontab -e

1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh


/etc/fwsnort/fwsnort.sh > /dev/null 2>&1

# Enable auto-update of fwsnort signatures


crontab -e

0 0 * * * /usr/sbin/fwsnort --update-rules

/etc/rc.d/init.d/psad restart

rm -rf /tmp/fwsnort-0.8.1.tar.gz
rm -rf /tmp/fwsnort-0.8.1

# Enabling whitelisting and Special danger levels for IPs and Port.

Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.

# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file
before starting the nessus scan.Please ensure that you restart psad after adding
the IP address.

You might also like