+<group name="syslog,psad,">
+ <rule id="53700" level="0">
+ <program_name>psad</program_name>
+ <decoded_as>psad</decoded_as>
+ <description>PSAD group</description>
+ </rule>
+ <!-- PSAD Log Types -->
+ <rule id="53701" level="0">
+ <if_sid>53700</if_sid>
+ <match>scan detected</match>
+ <description>PSAD group scan detected</description>
+ </rule>
+ <rule id="53702" level="0">
+ <if_sid>53700</if_sid>
+ <match>added iptables</match>
+ <description>PSAD group added iptables</description>
+ </rule>
+ <!-- PSAD Rule Chains -->
+ <rule id="53711" level="10">
+ <if_sid>53701</if_sid>
+ <match>DL: 4|DL: 5</match>
+ <description>PSAD portscan</description>
+ </rule>
+ <rule id="53712" level="10">
+ <if_sid>53702</if_sid>
+ <match>auto-block against</match>
+ <description>PSAD auto-block</description>
+ </rule>
+<!-- WARNING: PSAD Danger Level 3 can be positives -->
+ <rule id="53713" level="3">
+ <if_sid>53701</if_sid>
+ <match>DL: 3</match>
+ <description>PSAD level 3 warning</description>
+ </rule>
+ <rule id="53714" level="10" frequency="4" timeframe="600">
+ <if_matched_sid>53713</if_matched_sid>
+ <same_source_ip />
+ <description>many PSAD level 3 warnings from same source</description>
+ </rule>
+ <rule id="53715" level="10" frequency="8" timeframe="3600">
+ <if_matched_sid>53713</if_matched_sid>
+ <same_source_ip />
+ <description>many PSAD level 3 warnings from same source (slow scan)</description>
+ </rule>
+ <!-- PSAD Signature Match -->
+ <rule id="53716" level="6">
+ <if_sid>53700</if_sid>
+ <match>signature match: </match>
+ <description>PSAD signature match</description>
+ </rule>
+</group>