Psad -S command dont show top 50 signatures
joshlinx opened this issue · 2 comments
After i updated to 2.4.4 from 2.4.3 when i run psad status it is not showing top sigs anymore. Here is output and config dump and status output. It writes output to /var/log/psad/top_sigs though.
cat /var/log/psad/top_sigs
Format: "" <num_sources> <sig_proto>
402 "ICMP Destination Unreachable Port Unreachable" 46 46 icmp
100074 "SCAN UPnP communication attempt" 13 13 udp
384 "ICMP PING" 11 9 icmp
100077 "MISC MS Terminal Server communication attempt" 11 9 tcp
100205 "MISC Microsoft SQL Server communication attempt" 6 5 tcp
381 "ICMP PING Sun Solaris" 5 4 icmp
2375 "BACKDOOR DoomJuice file upload attempt" 4 4 tcp
100084 "MISC HP Web JetAdmin communication attempt" 2 2 tcp
100202 "MISC VNC communication attempt" 2 2 tcp
399 "ICMP Destination Unreachable Host Unreachable" 2 2 icmp
100082 "MISC Microsoft PPTP communication attempt" 1 1 tcp
401 "ICMP Destination Unreachable Network Unreachable" 1 1 icmp
510 "POLICY HP JetDirect LCD communication attempt" 1 1 tcp
100210 "PSAD-CUSTOM fwknop Single Packet Authorization (SPA) packet" 1 1 udp
1846 "POLICY vncviewer Java applet communication attempt" 1 1 tcp
[-] psad: pid file /var/run/psad/psad_fw_read.pid does not exist for psad_fw_read on xx.xxx.local
[+] psad (pid: 11550) %CPU: 0.0 %MEM: 1.9
Running since: Tue Feb 21 21:52:44 2017
Command line arguments: [none specified]
Alert email address(es): admin@localhost
[+] Version: psad v2.4.4
[+] Top 50 signature matches:
[NONE]
[+] Top 25 attackers:
101.25.169.106 DL: 2, Packets: 1, Sig count: 1
106.84.91.186 DL: 2, Packets: 1, Sig count: 1
107.179.45.126 DL: 2, Packets: 1, Sig count: 1
108.20.244.36 DL: 2, Packets: 1, Sig count: 1
108.61.184.64 DL: 2, Packets: 1, Sig count: 1
110.181.63.103 DL: 2, Packets: 1, Sig count: 1
110.80.143.150 DL: 2, Packets: 1, Sig count: 1
112.218.1.123 DL: 2, Packets: 1, Sig count: 1
113.231.246.21 DL: 2, Packets: 1, Sig count: 1
114.80.253.90 DL: 2, Packets: 1, Sig count: 1
116.93.254.92 DL: 2, Packets: 1, Sig count: 1
121.183.108.61 DL: 2, Packets: 1, Sig count: 1
123.108.190.212 DL: 2, Packets: 1, Sig count: 1
123.11.38.125 DL: 2, Packets: 1, Sig count: 1
123.151.149.222 DL: 2, Packets: 10, Sig count: 2
124.153.144.199 DL: 2, Packets: 1, Sig count: 1
129.78.96.1 DL: 2, Packets: 2, Sig count: 2
129.82.138.44 DL: 2, Packets: 1, Sig count: 2
139.164.144.97 DL: 2, Packets: 1, Sig count: 1
14.152.95.219 DL: 2, Packets: 1, Sig count: 1
149.11.37.70 DL: 2, Packets: 1, Sig count: 1
171.8.205.208 DL: 2, Packets: 1, Sig count: 1
175.114.33.130 DL: 2, Packets: 1, Sig count: 1
175.205.5.44 DL: 2, Packets: 1, Sig count: 1
[+] Top 20 scanned ports:
tcp 23 396 packets
tcp 5358 78 packets
tcp 7547 44 packets
tcp 80 34 packets
tcp 22 31 packets
tcp 2323 21 packets
tcp 443 16 packets
tcp 35356 15 packets
tcp 3389 13 packets
tcp 3306 7 packets
tcp 8080 7 packets
tcp 1433 6 packets
tcp 10137 6 packets
tcp 8009 4 packets
tcp 3128 4 packets
tcp 2222 4 packets
tcp 21 3 packets
tcp 26197 3 packets
tcp 10706 3 packets
tcp 27017 3 packets
udp 56699 119 packets
udp 51098 108 packets
udp 51097 59 packets
udp 56698 44 packets
udp 5060 35 packets
udp 60329 32 packets
udp 50674 19 packets
udp 1900 13 packets
udp 16403 12 packets
udp 443 5 packets
udp 80 5 packets
udp 35356 5 packets
udp 123 4 packets
udp 161 3 packets
udp 53 3 packets
udp 58337 2 packets
udp 54504 2 packets
udp 60545 2 packets
udp 5071 1 packets
udp 53413 1 packets
[+] iptables log prefix counters:
"DROP PKT": 55740
"INVALID PKT": 1306
[+] psad v2.4.4
[+] /var/log/psad/install.log exists.
[+] Dumping psad config from: /etc/psad/psad.conf
AIM_SERVERS (removed)
ALERTING_METHODS noemail
ALERT_ALL Y
ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis
ANALYSIS_OUTPUT_FILE /var/log/psad/analysis.out
AUTO_BLOCK_DL1_TIMEOUT 3600
AUTO_BLOCK_DL2_TIMEOUT 3600
AUTO_BLOCK_DL3_TIMEOUT 3600
AUTO_BLOCK_DL4_TIMEOUT 3600
AUTO_BLOCK_DL5_TIMEOUT 0
AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables
AUTO_BLOCK_REGEX ESTAB
AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr
AUTO_BLOCK_TIMEOUT 3600
AUTO_DETECT_JOURNALCTL N
AUTO_DL_FILE /etc/psad/auto_dl
AUTO_IDS_DANGER_LEVEL 5
AUTO_IPT_SOCK /var/run/psad/auto_ipt.sock
CHECK_INTERVAL 5
CONF_ARCHIVE_DIR /etc/psad/archive
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:
DANGER_LEVEL1 5
DANGER_LEVEL2 15
DANGER_LEVEL3 150
DANGER_LEVEL4 1500
DANGER_LEVEL5 10000
DISK_CHECK_INTERVAL 300
DISK_MAX_PERCENTAGE 95
DISK_MAX_RM_RETRIES 10
DNS_LOOKUP_THRESHOLD 20
DNS_SERVERS (removed)
DSHIELD_ALERT_EMAIL reports@dshield.org
DSHIELD_ALERT_INTERVAL 6
DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr
DSHIELD_DL_THRESHOLD 0
DSHIELD_EMAIL_FILE /var/log/psad/dshield.email
DSHIELD_USER_EMAIL (removed)
DSHIELD_USER_ID (removed)
EMAIL_ADDRESSES (removed)
EMAIL_ALERT_DANGER_LEVEL 1
EMAIL_LIMIT 0
EMAIL_LIMIT_STATUS_MSG Y
EMAIL_THROTTLE 0
ENABLE_AUTO_IDS N
ENABLE_AUTO_IDS_EMAILS Y
ENABLE_AUTO_IDS_REGEX N
ENABLE_CUSTOM_SYSLOG_TS_RE N
ENABLE_DNS_LOOKUPS Y
ENABLE_DSHIELD_ALERTS N
ENABLE_EMAIL_LIMIT_PER_DST N
ENABLE_EXT_BLOCK_SCRIPT_EXEC N
ENABLE_EXT_SCRIPT_EXEC N
ENABLE_FW_LOGGING_CHECK Y
ENABLE_FW_MSG_READ_CMD N
ENABLE_INTF_LOCAL_NETS Y
ENABLE_IPV6_DETECTION N
ENABLE_MAC_ADDR_REPORTING N
ENABLE_PERSISTENCE Y
ENABLE_PSADWATCHD N
ENABLE_RENEW_BLOCK_EMAILS N
ENABLE_SCAN_ARCHIVE N
ENABLE_SIG_MSG_SYSLOG Y
ENABLE_SNORT_SIG_STRICT Y
ENABLE_SYSLOG_FILE Y
ENABLE_WHOIS_FORCE_ASCII N
ENABLE_WHOIS_FORCE_SRC_IP N
ENABLE_WHOIS_LOOKUPS Y
ETC_HOSTS_DENY_FILE /etc/hosts.deny
ETC_METALOG_CONF /etc/metalog/metalog.conf
ETC_RSYSLOG_CONF /etc/rsyslog.conf
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf
ETC_SYSLOG_CONF /etc/syslog.conf
EXEC_EXT_SCRIPT_PER_ALERT N
EXPECT_TCP_OPTIONS Y
EXTERNAL_BLOCK_SCRIPT /bin/true
EXTERNAL_NET (removed)
EXTERNAL_SCRIPT /bin/true
FLUSH_IPT_AT_INIT Y
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules
FW_CHECK_FILE /var/log/psad/fw_check
FW_DATA_FILE /var/log/psad/fwdata
FW_ERROR_LOG /var/log/psad/errs/fwerrorlog
FW_MSG_READ_CMD /bin/journalctl
FW_MSG_READ_CMD_ARGS -f -k
FW_MSG_READ_MIN_PKTS 30
FW_MSG_SEARCH PKT
FW_SEARCH_ALL Y
HOME_NET (removed)
HOSTNAME (removed)
HTTP_PORTS 80
HTTP_SERVERS (removed)
ICMP6_TYPES_FILE /etc/psad/icmp6_types
ICMP_TYPES_FILE /etc/psad/icmp_types
IFCFGTYPE ifconfig
IGNORE_CONNTRACK_BUG_PKTS Y
IGNORE_INTERFACES eth1.100
IGNORE_KERNEL_TIMESTAMP Y
IGNORE_LOG_PREFIXES NONE
IGNORE_PORTS NONE
IGNORE_PROTOCOLS NONE
IMPORT_OLD_SCANS N
INSTALL_LOG_FILE /var/log/psad/install.log
INSTALL_ROOT /
IPTABLES_BLOCK_METHOD Y
IPTABLES_PREREQ_CHECK 1
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1
IPT_ERROR_PATTERN psad_ipterr.XXXXXX
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX
IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr
IPT_SYSLOG_FILE /var/log/messages
IPT_WRITE_FWDATA Y
IP_OPTS_FILE /etc/psad/ip_options
KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid
MAIL_ALERT_PREFIX [psad-alert]
MAIL_ERROR_PREFIX [psad-error]
MAIL_FATAL_PREFIX [psad-fatal]
MAIL_STATUS_PREFIX [psad-status]
MAX_HOPS 20
MAX_SCAN_IP_PAIRS 0
MIN_ARCHIVE_DANGER_LEVEL 1
MIN_DANGER_LEVEL 1
ORACLE_PORTS 1521
P0F_FILE /etc/psad/pf.os
PACKET_COUNTER_FILE /var/log/psad/packet_ctr
PERSISTENCE_CTR_THRESHOLD 5
PORT_RANGE_SCAN_THRESHOLD 1
POSF_FILE /etc/psad/posf
PRINT_SCAN_HASH /var/log/psad/scan_hash
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward
PROTOCOLS_FILE /etc/psad/protocols
PROTOCOL_SCAN_THRESHOLD 5
PSADWATCHD_CHECK_INTERVAL 5
PSADWATCHD_MAX_RETRIES 10
PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid
PSAD_CMDLINE_FILE /var/run/psad/psad.cmd
PSAD_CONF_DIR /etc/psad
PSAD_DIR /var/log/psad
PSAD_ERR_DIR /var/log/psad/errs
PSAD_FIFO_DIR /var/lib/psad
PSAD_FIFO_FILE /var/lib/psad/psadfifo
PSAD_FW_READ_PID_FILE /var/run/psad/psad_fw_read.pid
PSAD_LIBS_DIR /usr/lib/psad
PSAD_PID_FILE /var/run/psad/psad.pid
PSAD_RUN_DIR /var/run/psad
SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive
SCAN_TIMEOUT 3600
SHELLCODE_PORTS !80
SHOW_ALL_SIGNATURES Y
SIGS_FILE /etc/psad/signatures
SIG_MSG_SYSLOG_THRESHOLD 10
SIG_SID_SYSLOG_THRESHOLD 10
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures
SMTP_SERVERS (removed)
SNORT_RULES_DIR /etc/psad/snort_rules
SNORT_RULE_DL_FILE /etc/psad/snort_rule_dl
SNORT_SID_STR SID
SQL_SERVERS (removed)
STATUS_IP_THRESHOLD 25
STATUS_OUTPUT_FILE /var/log/psad/status.out
STATUS_PORTS_THRESHOLD 20
STATUS_SIGS_THRESHOLD 50
SYSLOG_DAEMON syslogd
SYSLOG_FACILITY LOG_LOCAL7
SYSLOG_IDENTITY psad
SYSLOG_PRIORITY LOG_INFO
TCPWRAPPERS_BLOCK_METHOD N
TELNET_SERVERS (removed)
TOP_ATTACKERS_FILE /var/log/psad/top_attackers
TOP_IP_LOG_THRESHOLD 500
TOP_PORTS_LOG_THRESHOLD 500
TOP_SCANNED_PORTS_FILE /var/log/psad/top_ports
TOP_SCANS_CTR_THRESHOLD 1
TOP_SIGS_FILE /var/log/psad/top_sigs
TOP_SIGS_LOG_THRESHOLD 500
TRUNCATE_FWDATA Y
ULOG_DATA_FILE /var/log/psad/ulogd.log
USE_FW_MSG_READ_CMD_ARGS Y
WHOIS_LOOKUP_THRESHOLD 20
WHOIS_TIMEOUT 60
[+] Command paths:
[+] df /bin/df
[+] fwcheck_psad /usr/sbin/fwcheck_psad
[+] gzip /bin/gzip
[+] ifconfig /sbin/ifconfig
[+] ip /sbin/ip
[+] ip6tables /sbin/ip6tables
[+] iptables /sbin/iptables
[+] killall /usr/bin/killall
[+] kmsgsd /usr/sbin/kmsgsd
[+] mail /bin/mail
[+] mknod /bin/mknod
[+] netstat /bin/netstat
[+] ps /bin/ps
[+] psad /usr/sbin/psad
[+] psadwatchd /usr/sbin/psadwatchd
[+] sendmail /usr/sbin/sendmail
[+] sh /bin/sh
[+] uname /bin/uname
[+] wget /usr/bin/wget
[+] whois /usr/bin/whois_psad
Thanks, I'll get this fixed within a day or so.