1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
|
This file contains a sample psad alert, and many more examples can be found
here:
http://www.cipherdyne.org/psad/docs/
Here is an example of psad alert (version 2.0.2) for a scan for the
Microsoft VNC service against my Linux box (running kernel 2.6.18):
=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [2] (out of 5)
Scanned tcp ports: [5900: 1 packets]
tcp flags: [SYN: 1 packets, Nmap: -sT or -sS]
iptables chain: INPUT (prefix "DROP"), 1 packets
Source: 71.127.83.44
DNS: static-71-127-83-44.aubnin.fios.verizon.net
Destination: 71.127.x.x
Syslog hostname: minastirith
Current interval: Fri Dec 22 12:10:33 2006 (start)
Fri Dec 22 12:10:38 2006 (end)
Overall scan start: Thu Dec 21 20:37:49 2006
Total email alerts: 36
Complete tcp range: [1433-5900]
chain: interface: tcp: udp: icmp:
INPUT eth0 44 0 0
[+] tcp scan signatures:
"MISC VNC communication attempt"
dst port: 5900 (no server bound to local port)
flags: SYN
psad_id: 100202
chain: INPUT
packets: 1
classtype: attempted-admin
reference: (url) http://isc.sans.org/port_details.php?port=5900
reference: (url) http://secunia.com/advisories/20107
[+] Whois Information:
Verizon Internet Services Inc. VIS-71-96 (NET-71-96-0-0-1)
71.96.0.0 - 71.127.255.255
PORTAL MAGIC FTTP (NET-71-127-83-40-1)
71.127.83.40 - 71.127.83.47
# ARIN WHOIS database, last updated 2006-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=
|