4876l4

Listing 4: Sample psad E-mail Alert:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug  2 01:13:03:   Portscan Detected by psad (pid 405)
                   on myserver.mydomain.com

Source:                   192.168.10.10
Destination:              10.10.10.50
Newly scanned TCP ports:  [80]    (since: Aug 2 01:13:03)
Complete port range:      [53-80] (since: Aug 2 00:54:53)
Total number of packets:  9
Start time:               Aug  2 00:54:53
End time:                 Aug  2 01:13:03
Danger level:             1 out of 5
DNS info:                 192.168.10.10 -> attacker.com
TCP flags:         [SYN: 2 packets]  Nmap: [-sT or -sS]
TCP flags:         [SYN FIN: 2 packets]
TCP flags:         [URG PSH FIN: 5 packets]  Nmap: [-sX]

=-=-= TCP alert signatures found since [Aug  2 01:13:03]
"NMAP XMAS scan"  dp=80, flags=URG PSH FIN. YOUR MACHINE
IS LISTENING ON (tcp) PORT: 80/tcp  Packets=5


   =-=-=-=-=-=-= Whois Information =-=-=-=-=-=-=
IANA (IANA-CBLK-RESERVED)
   Internet Assigned Numbers Authority
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6695
   US

   Netname: IANA-CBLK1
   Netblock: 192.168.0.0 - 192.168.255.255

   Coordinator:
   Internet Corporation for Assigned Names and Numbers
   (IANA-ARIN) +res-ip@iana.org
      (310) 823-9358

   Domain System inverse mapping provided by:

   BLACKHOLE.ISI.EDU            128.9.64.26
   BLACKHOLE.EP.NET             198.32.1.116

   These blocks are reserved for special purposes.
   Please see RFC 1918 for additional information.

   Record last updated on 16-May-2001.
   Database last updated on 31-Jul-2001 23:07:46 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=