psad: Intrusion Detection and Log Analysis with iptables
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.- Download
- Documentation
- Features
- Source Code
- Mailing List
Significant coverage of psad, including a full discussion of its iptables log analysis capabilities and the ability to interface with graphing software such as AfterGlow and Gnuplot, can be found in the book Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort. Several iptables log visualizations from Chapter 14 of the book are available online, and two such examples appear below. The first example is a link graph produced by AfterGlow of iptables log messages that are indicative of the Nachi Worm: For the second example, psad interfaces with Gnuplot to produce a graph of the number of TCP SYN packets to destination ports per hour. Clearly discernible is a spike on March 27th, and further analysis of the iptables log data indicates a heavy port scan is the cause: The data source for the two visualizations above is the iptables log data from the Scan30 Honeynet Challenge. The complete psad Honeynet challenge analysis pages can be found here: psad Honeynet challenge graphs
psad is developed around three main principles:
- Good network security starts with a properly configured firewall.
- A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter's case).
- Suspicious traffic should not be detected at the expense of trying to also block such traffic.