PSAD - PB de detection

Salut, voilà j’ai un problème avec PSAD, il ne detecte pas les scans et pourtant il compte les packet, il trouve le prexi de log etc…
Ma situation:
Debian Etch
Linux phoenix 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux

/etc/psad/psad.conf

EMAIL_ADDRESSES             root@localhost;
HOSTNAME                    82.*.*.*;
HOME_NET                    192.168.0.254/24;
SYSLOG_DAEMON               syslog-ng;
DANGER_LEVEL1               5;    ### Number of packets.
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;
CHECK_INTERVAL              5;
SNORT_SID_STR               SID;
PORT_RANGE_SCAN_THRESHOLD   1;
ENABLE_PERSISTENCE          Y;
SCAN_TIMEOUT                3600;  ### seconds
SHOW_ALL_SIGNATURES         N;
MAX_HOPS                    20;
IGNORE_CONNTRACK_BUG_PKTS   Y;
IGNORE_PORTS                NONE;
IGNORE_PROTOCOLS            NONE;
IGNORE_INTERFACES           NONE;
IGNORE_LOG_PREFIXES         NONE;
EMAIL_ALERT_DANGER_LEVEL    1;
ENABLE_MAC_ADDR_REPORTING   N;
ENABLE_FW_LOGGING_CHECK     Y;
EMAIL_LIMIT                 0;
EMAIL_LIMIT_STATUS_MSG      Y;
ALERT_ALL                   Y;
IMPORT_OLD_SCANS            N;
ENABLE_DSHIELD_ALERTS       N;
DSHIELD_ALERT_EMAIL         reports@dshield.org;
DSHIELD_ALERT_INTERVAL      6;  ### hours
DSHIELD_USER_ID             0;
DSHIELD_USER_EMAIL          NONE;
DSHIELD_DL_THRESHOLD        0;
ENABLE_AUTO_IDS             N;
AUTO_IDS_DANGER_LEVEL       5;
AUTO_BLOCK_TIMEOUT          3600;
ENABLE_AUTO_IDS_REGEX       N;
AUTO_BLOCK_REGEX            ESTABLISHED;  ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS   N;
ENABLE_AUTO_IDS_EMAILS      Y;
IPTABLES_BLOCK_METHOD       Y;
#IPT_AUTO_CHAIN1              DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
#IPT_AUTO_CHAIN2              DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
#IPT_AUTO_CHAIN3              DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT           Y;
IPTABLES_PREREQ_CHECK       1;
TCPWRAPPERS_BLOCK_METHOD    N;
### Set the whois timeout
WHOIS_TIMEOUT               60;  ### seconds
WHOIS_LOOKUP_THRESHOLD      20;
DNS_LOOKUP_THRESHOLD        20;
ENABLE_EXT_SCRIPT_EXEC      N;
EXTERNAL_SCRIPT             /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT   N;
DISK_CHECK_INTERVAL         300;  ### seconds
DISK_MAX_PERCENTAGE         95;
DISK_MAX_RM_RETRIES         10;
ENABLE_SCAN_ARCHIVE         N;
TRUNCATE_FWDATA             Y;
MIN_ARCHIVE_DANGER_LEVEL    1;
MAIL_ALERT_PREFIX           [psad-alert];
MAIL_STATUS_PREFIX          [psad-status];
MAIL_ERROR_PREFIX           [psad-error];
MAIL_FATAL_PREFIX           [psad-fatal];
### Directories
PSAD_DIR                    /var/log/psad;
PSAD_RUN_DIR                /var/run/psad;
PSAD_LIB_DIR                /var/lib/psad;
SCAN_DATA_ARCHIVE_DIR       /var/log/psad/scan_archive;
ERROR_DIR                   /var/log/psad/errs;
ANALYSIS_MODE_DIR           /var/log/psad/ipt_analysis;
SNORT_RULES_DIR             /etc/psad/snort_rules;
### Files
FW_DATA_FILE                /var/log/psad/fwdata;
ULOG_DATA_FILE              /var/log/psad/ulogd.log;
FW_CHECK_FILE               /var/log/psad/fw_check;
DSHIELD_LATEST_EMAIL        /var/log/psad/dshield.email;
PID_FILE                    /var/run/psad/psad.pid;
CMDLINE_FILE                /var/run/psad/psad.cmd;
SIGS_FILE                   /etc/psad/signatures;
ICMP_TYPES_FILE             /etc/psad/icmp_types;
AUTO_DL_FILE                /etc/psad/auto_dl;
SNORT_RULE_DL_FILE          /etc/psad/snort_rule_dl;
POSF_FILE                   /etc/psad/posf;
P0F_FILE                    /etc/psad/pf.os;
PSAD_FIFO                   /var/lib/psad/psadfifo;
ETC_HOSTS_DENY              /etc/hosts.deny;
ETC_SYSLOG_CONF             /etc/syslog.conf;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;
### PID files
KMSGSD_PID_FILE             /var/run/psad/kmsgsd.pid;
PSADWATCHD_PID_FILE         /var/run/psad/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE         /var/log/psad/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE       /var/log/psad/auto_blocked_tcpwr;
AUTO_IPT_SOCK               /var/run/psad/auto_ipt.sock;
FW_ERROR_LOG                /var/log/psad/errs/fwerrorlog;
PRINT_SCAN_HASH             /var/log/psad/scan_hash;
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE         /var/log/psad/packet_ctr;
DSHIELD_COUNTER_FILE        /var/log/psad/dshield_ctr;
IPT_PREFIX_COUNTER_FILE     /var/log/psad/ipt_prefix_ctr;
IPT_OUTPUT_FILE             /var/log/psad/psad.iptout;
IPT_ERROR_FILE              /var/log/psad/psad.ipterr;
### system binaries
iptablesCmd      /sbin/iptables;
mknodCmd         /bin/mknod;
psCmd            /bin/ps;
mailCmd          /usr/bin/mail;
sendmailCmd      /usr/sbin/sendmail;
ifconfigCmd      /sbin/ifconfig;
killallCmd       /usr/bin/killall;
netstatCmd       /bin/netstat;
unameCmd         /bin/uname;
whoisCmd         /usr/bin/whois;
dfCmd            /bin/df;
fwcheck_psadCmd  /usr/sbin/fwcheck_psad;
psadwatchdCmd    /usr/sbin/psadwatchd;
kmsgsdCmd        /usr/sbin/kmsgsd;
psadCmd          /usr/sbin/psad;

Dans mon script iptables, j’ai mi les bonnes règles pr logger.
J’ai configuer syslog-ng pour psad.
et un psad -S donne:

[21:39:14] [root@phoenix:/etc/psad] $ psad -S
[+] psadwatchd (pid: 23997)  %CPU: 0.0  %MEM: 0.0
    Running since: Fri Feb  8 21:15:48 2008

[+] kmsgsd (pid: 23994)  %CPU: 0.0  %MEM: 0.0
    Running since: Fri Feb  8 21:15:48 2008

[+] psad (pid: 23992)  %CPU: 0.1  %MEM: 2.0
    Running since: Fri Feb  8 21:15:48 2008
    Command line arguments: -c /etc/psad/psad.conf
    Alert email address(es): root@localhost

    [No scans detected]

    Netfilter prefix counters:
        "[IPTABLES DROP] :": 2593

    Total scan sources: 0
    Total scan destinations: 0

    Total packet counters:
        tcp:  2540
        udp:  51
        icmp: 0

Il analyse bien les logs, mais ne detecte pas els scans…

Pourquoi? ^^ Si quelqu’un a PSAD avec syslog-ng et que le tout fonctionne?
Merci d’avance pour votre aide, si vous voulez plus de renseignement n’hésitez pas;
@+

Salut,

J’ai PSAD (en package debian) et syslog-ng(en package debian) sur 2 machines, et tout tourne parfaitement.
Je ne vois pas trop ce qui cloche.

Je te met ici ma config:

[code]EMAIL_ADDRESSES <adresse_d_alerte>;

HOSTNAME ;

HOME_NET <mon_ip_publique>,<mon_lan>;
EXTERNAL_NET any;

FW_SEARCH_ALL Y;

FW_MSG_SEARCH DROP;

SYSLOG_DAEMON syslog-ng;

DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;

CHECK_INTERVAL 5;

SNORT_SID_STR SID;

PORT_RANGE_SCAN_THRESHOLD 1;

ENABLE_PERSISTENCE N;

SHOW_ALL_SIGNATURES Y;

ALERTING_METHODS ALL;

ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;

MAX_HOPS 20;

IGNORE_KERNEL_TIMESTAMP Y;

IGNORE_CONNTRACK_BUG_PKTS Y;

IGNORE_PORTS tcp/20,tcp/21,tcp/22,tcp/25,tcp/53,udp/53,tcp/80,tcp/443,tcp/143;

IGNORE_PROTOCOLS NONE;

IGNORE_INTERFACES NONE;

IGNORE_LOG_PREFIXES NONE;

MIN_DANGER_LEVEL 1;

EMAIL_ALERT_DANGER_LEVEL 3;

ENABLE_INTF_LOCAL_NETS Y;

ENABLE_MAC_ADDR_REPORTING N;

ENABLE_FW_LOGGING_CHECK Y;

EMAIL_LIMIT 0;

ENABLE_EMAIL_LIMIT_PER_DST N;

EMAIL_LIMIT_STATUS_MSG Y;
ALERT_ALL N;

IMPORT_OLD_SCANS Y;

SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;

TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;

TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;

TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;

TOP_SCANS_CTR_THRESHOLD 1;

ENABLE_DSHIELD_ALERTS N;

DSHIELD_ALERT_EMAIL reports@dshield.org;

DSHIELD_USER_ID 0;

DSHIELD_USER_EMAIL NONE;

DSHIELD_DL_THRESHOLD 0;

HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;

AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24
, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];

HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;

ENABLE_SNORT_SIG_STRICT Y;

ENABLE_AUTO_IDS N;

AUTO_IDS_DANGER_LEVEL 5;

AUTO_BLOCK_TIMEOUT 3600;

ENABLE_AUTO_IDS_REGEX N;

ENABLE_RENEW_BLOCK_EMAILS N;

ENABLE_AUTO_IDS_EMAILS Y;

IPTABLES_BLOCK_METHOD Y;

IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;

FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;

TCPWRAPPERS_BLOCK_METHOD N;

WHOIS_LOOKUP_THRESHOLD 20;

DNS_LOOKUP_THRESHOLD 20;

ENABLE_EXT_SCRIPT_EXEC N;

EXTERNAL_SCRIPT /bin/true;

EXEC_EXT_SCRIPT_PER_ALERT N;

DISK_MAX_PERCENTAGE 95;

DISK_MAX_RM_RETRIES 10;

ENABLE_SCAN_ARCHIVE N;

TRUNCATE_FWDATA Y;

MIN_ARCHIVE_DANGER_LEVEL 1;

MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];

SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_MAX_RETRIES 10;

PSAD_DIR /var/log/psad;
PSAD_RUN_DIR /var/run/psad;
PSAD_FIFO_DIR /var/lib/psad;
PSAD_LIBS_DIR /usr/lib/psad;
PSAD_CONF_DIR /etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;

FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;

AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;

AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;

FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;

PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;

PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;

TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;

TOP_SIGS_FILE $PSAD_DIR/top_sigs;

TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;

DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;

IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;

IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;

iptablesCmd /sbin/iptables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;

TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;

TOP_SIGS_FILE $PSAD_DIR/top_sigs;

TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;

DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;

IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;

IPT_OUTPUT_FILE $PSAD_DIR/psad.iptout;
IPT_ERROR_FILE $PSAD_DIR/psad.ipterr;

iptablesCmd /sbin/iptables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /usr/bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd /usr/bin/whois;
dfCmd /bin/df;
fwcheck_psadCmd /usr/sbin/fwcheck_psad;
psadwatchdCmd /usr/sbin/psadwatchd;
kmsgsdCmd /usr/sbin/kmsgsd;
psadCmd /usr/sbin/psad;
[/code]