+++ /dev/null
-<group name="syslog,psad,">
- <rule id="53700" level="0">
- <program_name>psad</program_name>
- <decoded_as>psad</decoded_as>
- <description>PSAD group</description>
- </rule>
- <!-- PSAD Log Types -->
- <rule id="53701" level="0">
- <if_sid>53700</if_sid>
- <match>scan detected</match>
- <description>PSAD group scan detected</description>
- </rule>
- <rule id="53702" level="0">
- <if_sid>53700</if_sid>
- <match>added iptables</match>
- <description>PSAD group added iptables</description>
- </rule>
- <!-- PSAD Rule Chains -->
- <rule id="53711" level="10">
- <if_sid>53701</if_sid>
- <match>DL: 4|DL: 5</match>
- <description>PSAD portscan</description>
- </rule>
- <rule id="53712" level="10">
- <if_sid>53702</if_sid>
- <match>auto-block against</match>
- <description>PSAD auto-block</description>
- </rule>
-<!-- WARNING: PSAD Danger Level 3 can be positives -->
- <rule id="53713" level="3">
- <if_sid>53701</if_sid>
- <match>DL: 3</match>
- <description>PSAD level 3 warning</description>
- </rule>
- <rule id="53714" level="10" frequency="4" timeframe="600">
- <if_matched_sid>53713</if_matched_sid>
- <same_source_ip />
- <description>many PSAD level 3 warnings from same source</description>
- </rule>
- <rule id="53715" level="10" frequency="8" timeframe="3600">
- <if_matched_sid>53713</if_matched_sid>
- <same_source_ip />
- <description>many PSAD level 3 warnings from same source (slow scan)</description>
- </rule>
- <!-- PSAD Signature Match -->
- <rule id="53716" level="6">
- <if_sid>53700</if_sid>
- <match>signature match: </match>
- <description>PSAD signature match</description>
- </rule>
-</group>