### Supports multiple email addresses (as a comma separated
### list).
#EMAIL_ADDRESSES             root@localhost;

EMAIL_ADDRESSES             youradress@email.com;

### Machine hostname
HOSTNAME                    _CHANGEME_;

### Specify the home and external networks.  Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
#HOME_NET                    any;
HOME_NET                    NOT_USED;

### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to.  If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad.  On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
ENABLE_SYSLOG_FILE          Y;
IPT_WRITE_FWDATA            Y;
IPT_SYSLOG_FILE             /var/log/messages;

### When enabled, this instructs psad to write the "msg" field
### associated with Snort rule matches to syslog.
ENABLE_SIG_MSG_SYSLOG       Y;
SIG_MSG_SYSLOG_THRESHOLD    10;
SIG_SID_SYSLOG_THRESHOLD    10;

### TTL values are decremented depending on the number of hops
### the packet has taken before it hits the firewall.  We will
### assume packets will not jump through more than 20 hops on
### average.
MAX_HOPS                    20;

### Do not include any timestamp included within kernel logging
### messages (Ubuntu systems commonly have this)
IGNORE_KERNEL_TIMESTAMP     Y;

### FIXME: try to mitigate the affects of the iptables connection
### tracking bug by ignoring tcp packets that have the ack bit set.
### Read the "BUGS" section of the psad man page.  Note that
### if a packet matches a snort SID generated by fwsnort (see
### http://www.cipherdyne.org/fwsnort/)
### then psad will see it even if the ack bit is set.  See the
### SNORT_SID_STR variable.
IGNORE_CONNTRACK_BUG_PKTS   Y;

### define a set of ports to ignore (this is useful particularly
### for port knocking applications since the knock sequence will
### look to psad like a scan).  This variable may be defined as
### a comma-separated list of port numbers or port ranges and
### corresponding protocol,  For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:

IGNORE_PORTS        tcp/42131;

### Set the minimum range of ports that must be scanned before
### psad will send an alert.  The default is 1 so that at
### least two port must be scanned (p2-p1 >= 1).  This can be set
### to 0 if you want psad to be extra paranoid, or 30000 if not.
PORT_RANGE_SCAN_THRESHOLD   1;

### If "Y", means that scans will never timeout.  This is useful
### for catching scans that take place over long periods of time
### where the attacker is trying to slip beneath the IDS thresholds.
ENABLE_PERSISTENCE          N;

### This is used only if ENABLE_PERSISTENCE = "N";
SCAN_TIMEOUT                3600;  ### seconds

### Specify how often to timeout old scan data relative to CHECK_INTERVAL
### iterations.  This feature is only used if ENABLE_PERSISTENCE is disabled.
### Note that for psad processes that have tracked a lot of scans, it is
### advisable to leave this threshold at the default value of 5 or greater
### because the scan tracking hash may be quite large.

PERSISTENCE_CTR_THRESHOLD   10;

### Limit the number of src->dst IP pairs that psad will track.  The default
### is zero (i.e. unlimited), but if psad is running on a system with limited
### memory, this can be handy to restrict psad's memory usage.  It is best to
### combine this option with disabling ENABLE_PERSISTENCE so that older scans
### are deleted and therefore newer scans will on average continue to be
### tracked.  A good non-zero value is, say, 50000, but this will vary
### depending on available system memory.
MAX_SCAN_IP_PAIRS           200;



### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
#EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_LIMIT_STATUS_MSG      N;

### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
#ENABLE_AUTO_IDS             N;
ENABLE_AUTO_IDS             Y;

### Block all traffic from offending IP if danger
### level >= to this value
#AUTO_IDS_DANGER_LEVEL       5;
AUTO_IDS_DANGER_LEVEL       3;

### Set the auto-blocked timeout in seconds (the default
### is one hour).
AUTO_BLOCK_TIMEOUT          3600;
#AUTO_BLOCK_TIMEOUT          86400;

### By setting this variable to N, all auto-blocking emails can be
### suppressed.
#ENABLE_AUTO_IDS_EMAILS      Y;
ENABLE_AUTO_IDS_EMAILS      N;

### system binaries
#mailCmd          /bin/mail;
mailCmd          /usr/bin/mail;
                                                                                                                                          123,32        Bot