Scribd Logo
Upload

Welcome to Scribd!

  • Psad Installation and Configuration

    Uploaded by

    Sharjeel Sayed
    2K views3 pages
    Psad installation and configuration Reference: # Download the latest version of pssad from cd / tmp wget. # Adjust the values as shown. # Automate Signature Updates crontab -e ### # Ensure that / bin / mail exists or create an appropriate symbolic link to your mail executable eg.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Psad installation and configuration Reference: # Download the latest version of pssad from cd / tmp wget. # Adjust the values as shown. # Automate Signature Updates crontab -e ### # Ensure that / bin / mail exists or create an appropriate symbolic link to your mail executable eg.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views3 pages

    Psad Installation and Configuration

    Uploaded by

    Sharjeel Sayed
    Psad installation and configuration Reference: # Download the latest version of pssad from cd / tmp wget. # Adjust the values as shown. # Automate Signature Updates crontab -e ### # Ensure that / bin / mail exists or create an appropriate symbolic link to your mail executable eg.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Psad installation and configuration

    Reference: http://www.cipherdyne.org/psad/

    # Download the latest version of psad from


    http://www.cipherdyne.org/psad/download/

    cd /tmp

    wget http://www.cipherdyne.org/psad/download/psad-2.1-1.i386.rpm

    rpm -Uvh psad-2.1-1.i386.rpm


    rm -rf psad-2.1-1.i386.rpm
    cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
    vi /etc/psad/psad.conf

    # Adjust the values as shown

    ######
    EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
    HOSTNAME vend-x.com;
    # If there is only one network interface on the box, then just set this variable
    to "NOT_USED".
    HOME_NET NOT_USED;
    EMAIL_ALERT_DANGER_LEVEL 1;
    ENABLE_AUTO_IDS Y;
    AUTO_IDS_DANGER_LEVEL 1;
    ENABLE_SCAN_ARCHIVE Y;
    DISK_MAX_PERCENTAGE 85;
    FLUSH_IPT_AT_INIT N;
    #######

    Automate Signature Updates

    crontab -e

    ###
    0 0 * * * /usr/sbin/psad -sig-update && /sbin/service psad restart
    ###

    # Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail


    poiting to your mail executable
    eg.
    ln -s /usr/lib/sendmail /bin/mail

    /etc/rc.d/init.d/psad start

    /usr/sbin/psad -sig-update

    /sbin/chkconfig psad on

    # Check psad statistics after 5-10 mins by running this command

    /usr/sbin/psad --Status

    # Setup Cronjob to delete Psad scan archive older than 7 days


    crontab -e

    0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf

    # Fwsnort Installation

    Reference: http://www.cipherdyne.org/fwsnort
    # Download fwsnort from http://www.cipherdyne.org/fwsnort/download/

    cd /tmp

    wget http://www.cipherdyne.com/fwsnort/download/fwsnort-1.0.4.tar.gz

    tar zxvf fwsnort-1.0.4.tar.gz

    cd /tmp/fwsnort-1.0.4

    perl install.pl
    cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig

    vi /etc/fwsnort/fwsnort.conf

    ######
    # Modify the uname location as follows
    unameCmd /bin/uname;
    ######

    /usr/sbin/fwsnort --no-ipt-sync --verbose

    # Check log file for errors and correct accordingly


    tail -f /var/log/fwsnort.log

    #If you encounter the following errors


    ###
    #[*] It does not appear that string match support has been compiled into
    # Netfilter. Fwsnort will not be of very much use without this.
    # ** NOTE: If you want to have fwsnort generate a Netfilter policy
    # anyway, specify the --no-ipt-test option. Exiting.
    #[root@extranet tmp]# tail -f /var/log/fwsnort.log
    #[-] Netfilter ipv4options extension not available, disabling ipopts translation.

    # then run this

    # Update signatures
    /usr/sbin/fwsnort --update-rules

    #Then run this


    /usr/sbin/fwsnort --no-ipt-test --verbose

    # Run the generated Netfilter script

    /etc/fwsnort/fwsnort.sh

    # Enable auto-update of firewall rules


    crontab -e

    1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh


    /etc/fwsnort/fwsnort.sh > /dev/null 2>&1

    # Enable auto-update of fwsnort signatures


    crontab -e

    0 0 * * * /usr/sbin/fwsnort --update-rules

    /etc/rc.d/init.d/psad restart

    rm -rf /tmp/fwsnort-0.8.1.tar.gz
    rm -rf /tmp/fwsnort-0.8.1

    # Enabling whitelisting and Special danger levels for IPs and Port.

    Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.

    # Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file
    before starting the nessus scan.Please ensure that you restart psad after adding
    the IP address.

    You might also like