1 <group name="syslog,psad,">
2 <rule id="53700" level="0">
3 <program_name>psad</program_name>
4 <decoded_as>psad</decoded_as>
5 <description>PSAD group</description>
7 <!-- PSAD Log Types -->
8 <rule id="53701" level="0">
10 <match>scan detected</match>
11 <description>PSAD group scan detected</description>
13 <rule id="53702" level="0">
14 <if_sid>53700</if_sid>
15 <match>added iptables</match>
16 <description>PSAD group added iptables</description>
18 <!-- PSAD Rule Chains -->
19 <rule id="53711" level="10">
20 <if_sid>53701</if_sid>
21 <match>DL: 4|DL: 5</match>
22 <description>PSAD portscan</description>
24 <rule id="53712" level="10">
25 <if_sid>53702</if_sid>
26 <match>auto-block against</match>
27 <description>PSAD auto-block</description>
29 <!-- WARNING: PSAD Danger Level 3 can be positives -->
30 <rule id="53713" level="3">
31 <if_sid>53701</if_sid>
33 <description>PSAD level 3 warning</description>
35 <rule id="53714" level="10" frequency="4" timeframe="600">
36 <if_matched_sid>53713</if_matched_sid>
38 <description>many PSAD level 3 warnings from same source</description>
40 <rule id="53715" level="10" frequency="8" timeframe="3600">
41 <if_matched_sid>53713</if_matched_sid>
43 <description>many PSAD level 3 warnings from same source (slow scan)</description>
45 <!-- PSAD Signature Match -->
46 <rule id="53716" level="6">
47 <if_sid>53700</if_sid>
48 <match>signature match: </match>
49 <description>PSAD signature match</description>