{"id":765,"date":"2009-10-14T16:45:14","date_gmt":"2009-10-14T16:45:14","guid":{"rendered":"http:\/\/pchero21.com\/?p=765"},"modified":"2009-10-14T16:45:14","modified_gmt":"2009-10-14T16:45:14","slug":"5-psad-%ec%86%8c%ea%b0%9c","status":"publish","type":"post","link":"http:\/\/pchero21.com\/?p=765","title":{"rendered":"5. psad \uc18c\uac1c"},"content":{"rendered":"

 * \uc5ed\uc0ac<\/span><\/p>\n

 psad \uc18c\ud504\ud2b8\uc6e8\uc5b4 \ud504\ub85c\uc81d\ud2b8\ub294 1999\ub144 \uac00\uc744, \ubc14\uc2a4\ud2f0\uc720 \uac1c\ubc1c\ud300\uc774 \ubc14\uc2a4\ud2f0\uc720\uac00 \uacbd\ub7c9\uc758 \ub124\ud2b8\uc6cc\ud06c \uce68\uc785 \ud0d0\uc9c0 \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc81c\uacf5\ud574\uc57c \ud55c\ub2e4\uace0 \uacb0\uc815\ud588\uc744 \ub54c Bastille \ub9ac\ub205\uc2a4\uc758 \uc77c\ubd80\ub85c \uc2dc\uc791\ud588\ub2e4. \ub2f9\uc2dc \ud53c\ud130 \uc653\ud0a8\uc2a4\ub294 \uc9c0\uae08\uae4c\uc9c0\ub3c4 Bastille \uc640 \ud568\uaed8 \uc81c\uacf5\ub418\ub294 \ub9e4\uc6b0 \ub6f0\uc5b4\ub09c \ubc29\ud654\ubcbd \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uac1c\ubc1c \uc911\uc774\uc5c8\uc73c\ubbc0\ub85c \ubc29\ud654\ubcbd \ub85c\uadf8\uac00 \uc81c\uacf5\ud558\ub294 \uc815\ubcf4\uc5d0 \uae30\ubc18\ud55c IDS \ub3c4\uad6c\ub97c \uac1c\ubc1c\ud558\ub294 \uac83\uc740 \uc790\uc5f0\uc2a4\ub7ec\uc6b4 \ub2e4\uc74c \uc791\uc5c5\uc774\uc5c8\ub2e4. \ub610 \ub2f9\uc2dc PortSentry(http:\/\/sourceforge.net\/projects\/sentrytools \ucc38\uc870)\uc5d0\ub294 \uae30\ubcf8 \ubc84\ub9ac\uae30 \uc804\ub7b5\uc73c\ub85c \uc124\uc815\ub41c \ubc29\ud654\ubcbd\uacfc \ud568\uaed8 \uc0ac\uc6a9\ud558\uae30\uc5d0\ub294 \ubd80\uc801\uc808\ud55c \uad6c\uc870\uc801 \uc124\uacc4 \ubb38\uc81c\uac00 \uc788\uc5c8\ub2e4.<\/p>\n

 2001\ub144 \ub9c8\uc774\ud074 \ub798\uc26c\ub294 \ubc14\uc2a4\ud2f0\uc720-NIDS \ud504\ub85c\uc81d\ud2b8\uac00 \ubc14\uc2a4\ud2f0\uc720\ub97c \uc124\uce58\ud560 \ud544\uc694 \uc5c6\uc774 \ub3c5\ub9bd\uc801\uc73c\ub85c \uc2e4\ud589\ub420 \uc218 \uc788\uac8c \ubcc4\ub3c4\uc758 \ud504\ub85c\uc81d\ud2b8\ub85c \ubd84\ub9ac\uc2dc\ud0a4\uace0 \ud3ec\ud2b8 \uc2a4\uce94 \uacf5\uaca9 \ud0d0\uc9c0\uae30\ub77c\uace0 \uba85\uba85\ud588\ub2e4. psad\uc758 \uac1c\ubc1c \uc8fc\uae30\ub294 \ub9e4\uc6b0 \ud65c\ubc1c\ud558\uba70 \ud3c9\uade0 3~4 \ub2ec\uc5d0 \ud55c \ubc88\uc529 \uc0c8\ub85c\uc6b4 \ubc30\ud3ec\ud310\uc774 \ub098\uc628\ub2e4.<\/p>\n

 * \ubc29\ud654\ubcbd \ub85c\uadf8\ub97c \ubd84\uc11d\ud558\ub294 \uc774\uc720<\/span>
 \uc88b\uc740 \ub124\ud2b8\uc6cc\ud06c \ubcf4\uc548\uc740 \uae30\ubcf8 \ub124\ud2b8\uc6cc\ud06c \uc5f0\uacb0\uc131\uacfc \uc11c\ube44\uc2a4\ub97c \ud5c8\uc6a9\ud558\uae30 \uc704\ud574 \uc808\ub300\uc801\uc73c\ub85c \ud544\uc694\ud55c \ub9cc\ud07c\ub9cc \ud5c8\uc6a9\ud558\uac8c \uc801\uc808\ud788 \uc124\uc815\ub41c \ubc29\ud654\ubcbd\uc5d0\uc11c \uc2dc\uc791\ub41c\ub2e4. \ubc29\ud654\ubcbd\uc740 \uc778\ub77c\uc778 \uc7a5\uce58\uc774\ubbc0\ub85c \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uc5d0 \ud544\ud130\ub9c1 \ub85c\uc9c1\uc744 \uc801\uc6a9\ud558\uae30 \uc88b\ub2e4. \ucef4\ud4e8\ud130 \ub124\ud2b8\uc6cc\ud0b9\uc758 \ubb38\ub9e5\uc5d0\uc11c \uc778\ub77c\uc778 \uc7a5\uce58\ub780 \ub124\ud2b8\uc6cc\ud06c\ub97c \ud1b5\ud574 \ud328\ud0b7\uc774 \ub77c\uc6b0\ud305\ub420 \ub54c \ud328\ud0b7\uc758 \uc9c1\uc811\uc801\uc778 \uacbd\ub85c\uc5d0 \uc874\uc7ac\ud558\ub294 \ud558\ub4dc\uc6e8\uc5b4\ub97c \uc758\ubbf8\ud55c\ub2e4. \uc778\ub77c\uc778 \uc7a5\uce58 \ub0b4\uc758 \ud558\ub4dc\uc6e8\uc5b4\ub098 \uc18c\ud504\ud2b8\uc6e8\uc5b4\uac00 \uc624\uc791\ub3d9\ud574\uc11c \uae30\uae30\uc758 \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d \uc804\ub2ec \uae30\ub2a5\uc5d0 \uc601\ud5a5\uc744 \ubbf8\uce5c\ub2e4\uba74 \ub124\ud2b8\uc6cc\ud06c \ud1b5\uc2e0\uc740 \ub354 \uc774\uc0c1 \ub3d9\uc791\ud558\uc9c0 \ubabb\ud55c\ub2e4. \uc778\ub77c\uc778 \uc7a5\uce58\uc758 \uc608\ub85c\ub294 \ub77c\uc6b0\ud130, \uc2a4\uc704\uce58, \ube0c\ub9ac\uc9c0, \ubc29\ud654\ubcbd, \ub124\ud2b8\uc6cc\ud06c \ucc38\uc785 \ubc29\uc9c0 \uc2dc\uc2a4\ud15c(IPS)\uc774 \uc788\ub2e4<\/p>\n

 \ubc29\ud654\ubcbd\uc758 \uae30\ub2a5\uc774 \uc880 \ub354 \uc644\uc804\ud574\uc9c0\uace0 \ubcf5\uc790\ubc30\uc9d0\uc5d0 \ub530\ub77c \uc810\ucc28\uc801\uc73c\ub85c (\uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \uac80\uc0ac\uc640 \uac19\uc774) \uc804\ud1b5\uc801\uc73c\ub85c \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc758 \uc810\uc8fc\uc600\ub358 \uae30\ub2a5\uc744 \uc81c\uacf5\ud558\uace0 \uc788\ub2e4. \uc774\ub7f0 \uae30\ub2a5\uc774 \ud2b8\ub798\ud53d\uc744 \ud544\ud130\ub9c1\ud558\ub294 \uae30\ub2a5\uc5d0 \ub354\ud574\uc9c0\uba74\uc11c \ubc29\ud654\ubcbd\uc740 \uba85\ubc31\ud55c \uce68\ud22c\uc640 \ubcf5\uc7a1\ud55c \uc815\ud0d0 \uc2dc\ub3c4\ub85c\ubd80\ud130 \uc11c\ube44\uc2a4\ub97c \ubcf4\ud638\ud558\uace0 \uc6dc \ud2b8\ub798\ud53d\uc73c\ub85c\ubd80\ud130\uc758 \uc7a0\uc7ac\uc801\uc778 \ud53c\ud574\ub97c \uc81c\ud55c\ud560 \uc218 \uc788\ub294 \ud6a8\uacfc\uc801\uc778 \uae30\ubc95\uc744 \uc81c\uacf5\ud560 \uc218 \uc788\ub294 \uc591\uc9c8\uc758 \uce68\uc785 \ud0d0\uc9c0 \ub370\uc774\ud130\ub97c \uc0dd\uc131\ud560 \uc218 \uc788\uac8c \ub410\ub2e4. \uad11\ubc94\uc704\ud55c \ub85c\uae45\uacfc \ud544\ud130\ub9c1 \uae30\ub2a5\uc744 \uac16\ucd98 iptables \uc640 \uac19\uc740 \ubc29\ud654\ubcbd\uc740 \ubb34\uc2dc\ud574\uc120 \uc548 \ub418\ub294 \uac00\uce58 \uc788\ub294 \ubcf4\uc548 \ub370\uc774\ud130\ub97c \uc81c\uacf5\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 \uc2a4\ub178\ud2b8\uc640 \uac19\uc740 \uc804\uc6a9 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc774 \uad49\uc7a5\ud788 \ub9ce\uc740 \uae30\ub2a5\uacfc \ub124\ud2b8\uc6cc\ud06c \uacf5\uaca9\uc744 \uae30\uc220\ud558\uae30 \uc704\ud55c \uad11\ubc94\uc704\ud55c \uaddc\uce59 \uc5b8\uc5b4\ub97c \uc81c\uacf5\ud558\ub294 \ubc18\uba74 iptables \ub294 \ud56d\uc0c1 \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uc5d0 \uc778\ub77c\uc778\ub3fc\uc11c \uc790\uc138\ud55c \ud328\ud0b7 \ud5e4\ub354 \ub85c\uadf8\ub97c \uc81c\uacf5\ud55c\ub2e4. \ucca0\uc800\ud55c \ubc29\uc5b4\uc758 \uc6d0\ub9ac\uac00 \uc801\uc6a9\ub418\ubbc0\ub85c iptables \uc758 \ub85c\uadf8\ub97c \uc8fc\uc758 \uae4a\uac8c \ubcf4\ub294 \uac83\uc774 \uc88b\ub2e4.<\/p>\n

 * psad \uc758 \uae30\ub2a5<\/span><\/p>\n

 \ud604 \ubc84\uc804\uc758 psad\ub294 Nmap\uacfc \uac19\uc740 \ub3c4\uad6c\ub97c \uc774\uc6a9\ud55c \ud3ec\ud2b8 \uc2a4\uce94, \ub2e4\uc591\ud55c \ubc31\ub3c4\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc744 \uc704\ud55c \ud0d0\uc0ac, \ubd84\uc0b0 \uc11c\ube44\uc2a4 \uac70\ubd80 \uacf5\uaca9(DDoS) \ub3c4\uad6c, \ub124\ud2b8\uc6cc\ud0b9 \ud504\ub85c\ud1a0\ucf5c\uc744 \uc545\uc6a9\ud558\ub824\ub294 \uc2dc\ub3c4\uc640 \uac19\uc774 \ub2e4\uc591\ud55c \uc720\ud615\uc758 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud2b8\ub798\ud53d\uc744 \ud0d0\uc9c0\ud560 \uc218 \uc788\ub2e4. Psad\ub294 fwsnort\uc640 \ud568\uaed8 \uc0ac\uc6a9\ud558\ub294 \uacbd\uc6b0 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \ub370\uc774\ud130\ub97c \uc870\uc0ac\ud574\uc57c \ud558\ub294 \uaddc\uce59\uc744 \ud3ec\ud568\ud574\uc11c \uc2a4\ub178\ud2b8 2.3.3 \uc804\uccb4 \uaddc\uce59\uc758 60% \uc774\uc0c1\uc744 \ud0d0\uc9c0\ud558\uace0 \uacbd\uace0\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 psad \uc758 \uc880 \ub354 \ud765\ubbf8\ub85c\uc6b4 \uae30\ub2a5 \uac00\uc6b4\ub370 \ud558\ub098\ub294 \uc2a4\uce94\uc774\ub098 \uae30\ud0c0 \uc545\uc758\uc801\uc778 \ud2b8\ub798\ud53d\uc774 \uc2dc\uc791\ub418\ub294 \uc6d0\uaca9 \uc6b4\uc601\uccb4\uc81c\ub97c \uc218\ub3d9\uc801\uc73c\ub85c \ud551\uac70\ud504\ub9b0\ud305\ud560 \uc218 \uc788\ub294 \uae30\ub2a5\uc774\ub2e4. psad\uac00 \uc0ac\uc6a9\ud558\ub294 \ud551\uac70\ud504\ub9b0\ud2b8\ub294 p0f\uc5d0\uc11c \ub098\uc628 \uac83\uc774\ub2e4. \ub354\uc6b1\uc774 psad\ub294 \uc790\uc138\ud55c \uba54\uc77c\uacfc syslog \uacbd\uace0, \uc704\ud5d8 \uc218\uc900 \uc784\uacc4\uce58\uc5d0 \uae30\ubc18\ud55c IP \uc790\ub3d9 \ucc28\ub2e8 \uae30\ub2a5(\uc774 \uae30\ub2a5\uc740 \uae30\ubcf8\uc801\uc73c\ub85c \ube44\ud65c\uc131\ud654\ub3fc \uc788\ub2e4), \ud1b5\ud569\ub41c whois \uc9c0\uc6d0, DShield \ubcf4\uace0 \ub4f1\uc744 \uc81c\uacf5\ud55c\ub2e4.<\/p>\n

 * psad \uc124\uce58<\/span><\/p>\n

 psad\ub97c \uc124\uce58\ud558\uae30 \uc804\uc5d0 \uc6b0\uc120 http:\/\/www.cipherdyne.org\/psad\/download \uc5d0\uc11c \ucd5c\uc2e0 \ubc84\uc804\uc744 \ubc1b\uc544\uc57c \ud55c\ub2e4. psad\ub97c \ud3ec\ud568\ud574\uc11c http:\/\/www.cipherdyne.org \uc5d0\uc11c \ubc30\ud3ec\ud558\ub294 \ubaa8\ub4e0 \ud504\ub85c\uadf8\ub7a8\uc740 \uac01 \uc18c\uc2a4 \ud2b8\ub9ac\uc5d0 \uc124\uce58 \ud504\ub85c\uadf8\ub7a8\uc778 insatll.pl \uc774 \ud568\uaed8 \uc81c\uacf5\ub41c\ub2e4. tarball \ud30c\uc77c\uc744 \ubc1b\uc740 \ub2e4\uc74c\uc5d0\ub294 MD5 \ud569\uacfc GnuPG \uc11c\uba85\uc744 \ubaa8\ub450 \ud655\uc778\ud558\ub294 \uac83\uc774 \uc88b\ub2e4.<\/p>\n

\"\"
\"\"
 install.pl \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uba54\uc77c \uacbd\uace0\uac00 \uc804\uc1a1\ub420 \uba54\uc77c \uc8fc\uc18c, \uc2dc\uc2a4\ud15c\uc5d0\uc11c \ud604\uc7ac \uc2e4\ud589 \uc911\uc778 syslog \ub370\ubaac\uc758 \uc720\ud615(syslogd, syslog-ng, metalog), psad\uac00 \ud2b9\uc815 \ub85c\uae45 \uc811\ub450\uc5b4\ub97c \ud3ec\ud568\ud558\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub9cc\uc744 \ubd84\uc11d\ud558\uac8c \ud560\uc9c0\uc5d0 \ub300\ud55c \uacb0\uc815, \ub85c\uadf8 \ub370\uc774\ud130\ub97c DShield \ubd84\uc0b0 IDS\ub85c \uc804\uc1a1\ud560\uc9c0\uc5d0 \ub300\ud55c \uacb0\uc815 \ub4f1\uacfc \uac19\uc740 \uba87 \uac00\uc9c0 \uc0ac\uc6a9\uc790 \uc785\ub825\uc744 \ud544\uc694\ub85c \ud55c\ub2e4. \uc9c1\uc811 \uc815\ubcf4\ub97c \uc785\ub825\ud558\uac70\ub098 \uae30\ubcf8 \uac12(\uadf8\ub0e5 \uc5d4\ud130 \ud0a4\ub97c \ub204\ub984)\uc744 \uadf8\ub300\ub85c \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4. \uc7a0\uc2dc \ud6c4\uba74 psad\uc758 \uc124\uce58\uac00 \uc644\ub8cc\ub41c\ub2e4.<\/p>\n

 \ub370\ube44\uc548 \ud639\uc740 \uc6b0\ubd84\ud22c \ub9ac\ub205\uc2a4\ub97c \uc0ac\uc6a9\ud558\ub294 \uacbd\uc6b0 \ub2e4\uc74c\uc758 \uba85\ub839\uc5b4\ub97c \uc774\uc6a9\ud558\uc5ec \uc27d\uace0 \uac19\ud3b8\ud558\uac8c psad \uc124\uce58\ub97c \uc9c4\ud589\ud560 \uc218 \uc788\ub2e4.
 <\/p>\n

 # sudo apt-get install psad<\/p><\/blockquote>\n

 \ub9ac\ub205\uc2a4\uc5d0 psad\ub97c \uc131\uacf5\uc801\uc73c\ub85c \uc124\uce58\ud558\uace0 \ub098\uba74 \ub85c\uceec \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc5d0 \ub2e4\ub7c9\uc758 \uc0c8 \ud30c\uc77c\uacfc \ub514\ub809\ud1a0\ub9ac\uac00 \uc0dd\uc131\ub41c\ub2e4.<\/p>\n

 \ud384\uc740 \uc8fc\uc694 psad \ub370\ubaac(\ub098\uc911\uc5d0 \ub2e4\ub8f0 \ub3c4\uc6b0\ubbf8 \ub370\ubaac kmsgsd\uc640 psadwatchd\ub294 C\ub85c \uc791\uc131\ud55c \uac83\uc774\ub2e4)\uc744 \uac1c\ubc1c\ud558\ub294 \ub370 \uc4f0\uc778 \ud504\ub85c\uadf8\ub798\ubc0d \uc5b8\uc5b4\ub85c, \ud575\uc2ec \ud384 \ubaa8\ub4c8\uc5d0\ub294 \ud3ec\ud568\ub418\uc9c0 \uc54a\ub294 \uba87 \uac1c\uc758 \ud384 \ubaa8\ub4c8\uc774 \uc0ac\uc6a9\ub41c\ub2e4. \uc774\ub7ec\ud55c \ud384 \ubaa8\ub4c8\uc744 \/usr\/lib\/psad \uc5d0 \ubaa8\ub450 \uc124\uce58\ud568\uc73c\ub85c\uc368 psad \ub294 \uc774\ubbf8 \uc2dc\uc2a4\ud15c \ud384 \ub77c\uc774\ube0c\ub7ec\ub9ac \ud2b8\ub9ac\uc5d0 \uc124\uce58\ub41c \ud384 \ubaa8\ub4c8(\uc8fc\ub85c \/usr\/lib\/perl5 \uc5d0 \uc704\uce58)\uacfc psad \uac00 \ud544\uc694\ub85c \ud558\ub294 \ubaa8\ub4c8\uc744 \uc644\uc804\ud788 \ubd84\ub9ac\uc2dc\ucf1c \uc720\uc9c0\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 psad \uc5d0\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ubaa8\ub4c8\uc774 \ud544\uc694\ud558\ub2e4.<\/p>\n

 * Date::Calc
 * Net::Ipv4Addr
 * Unix::Syslog
 * IPTABLES::Parse
 * IPTABLES::ChainMgr<\/p><\/blockquote>\n

 psad, kmsgsd, psadwatchd \uc640 \uac19\uc740 \uc138 \uac1c\uc758 \uc2dc\uc2a4\ud15c \ub370\ubaac\uc774 psad\ub97c \uad6c\uc131\ud55c\ub2e4. \uc774 \ub370\ubaac\uc740 \ubaa8\ub450 \/usr\/sbin \uc5d0 \uc124\uce58\ub418\uba70  \/etc\/psad\/psad.conf \ud30c\uc77c\uc744 \ucc38\uc870\ud55c\ub2e4.<\/p>\n

 psad \uc124\uce58 \ud504\ub85c\uadf8\ub7a8\uc740 \/etc\/psad\/archive \ub514\ub809\ud1a0\ub9ac\ub3c4 \uc0dd\uc131\ud574\uc11c \ud604\uc7ac\uc758 psad \ub370\ubaac \uc124\uc815 \ud30c\uc77c\uc744 \ubcf5\uc0ac\ud55c\ub2e4. \uc774\ub294 psad \ub97c \uc7ac\uc124\uce58\ud560 \ub54c \uc774\uc804\uc758 \uc124\uc815\uc744 \ubcf4\uc874\ud558\uae30 \uc704\ud55c \uac83\uc774\ub2e4. install.pl \ud504\ub85c\uadf8\ub7a8\uc740 \ud604\uc7ac\uc758 psad \uc124\uc815 \uac12\uc744 \uc0c8\ub85c\uc6b4 \uc124\uc815 \ud30c\uc77c\ub85c \ud1b5\ud569\ud560 \uc218 \uc788\uc73c\uba70, \uc774\ub97c \ud1b5\ud574 \uc5c5\uadf8\ub808\uc774\ub4dc \ube44\uc6a9\uc744 \ucd5c\uc18c\ud654\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 \uc124\uce58 \ud504\ub85c\uadf8\ub7a8\uc740 \/var \uc5d0\ub3c4 \uba87 \uac1c\uc758 \ud30c\uc77c\uacfc \ub514\ub809\ud1a0\ub9ac\ub97c \uc0dd\uc131\ud55c\ub2e4. \uc6b0\uc120 \/var\/lib\/psadfifo \uc5d0 \uba85\uba85\ub41c \ud30c\uc774\ud504\ub97c \uc0dd\uc131\ud558\uace0 \/var\/log\/psad \ub514\ub809\ud1a0\ub9ac\uc640 \ud30c\uc77c \/var\/log\/psad\/fwdata \ub97c \uc0dd\uc131\ud55c\ub2e4. \ub05d\uc73c\ub85c install.pl \uc2a4\ud06c\ub9bd\ud2b8\ub294 \uc124\uce58 \ub85c\uadf8\ub97c \/var\/log\/psad\/install.log \uc5d0 \uc720\uc9c0\ud55c\ub2e4. \uc2e4\ud589 \uc2dc psad \uc758 \uc8fc\uc694 \ub3d9\uc791 \ub514\ub809\ud1a0\ub9ac(\uc218\uc0c1\ud55c \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uacfc \uad00\ub828\ub41c IP \uc8fc\uc18c\ub97c \uae30\ub85d\ud558\ub294 \ub514\ub809\ud1a0\ub9ac)\ub3c4 \/var\/log\/psad \ub2e4.<\/p>\n

 psad\uac00 \uc124\uce58\ub418\ub294 \ub514\ub809\ud1a0\ub9ac\ub294 \ubb34\uc791\uc704\ub85c \uc120\ud0dd\ub418\ub294 \uac83\uc774 \uc544\ub2c8\ub77c \ud30c\uc77c \uc2dc\uc2a4\ud15c \uacc4\uce35 \ud45c\uc900(FHS, Filesystem Hierarchy Standard)\uc774\ub77c\ub294 \ubb38\uc11c\uc5d0\uc11c \uc815\uc758\ud558\ub294 \ud45c\uc900 \ub514\ub809\ud1a0\ub9ac \ub0b4\uc5d0 \uc704\uce58\ud55c \uac83\uc774\ub2e4. \uc774 \ubb38\uc11c\uc5d0\ub294 \uc720\ub2c9\uc2a4 \ud30c\uc77c\uc2dc\uc2a4\ud15c \ub514\ub809\ud1a0\ub9ac \uad6c\uc870 \ub0b4\uc758 \uac01 \ub514\ub809\ud1a0\ub9ac\uac00 \ub2f4\ub2f9\ud560 \ubaa9\uc801\uc744 \ubd84\ub958\ud55c\ub2e4. \uc774 \ubb38\uc11c\ub97c \ub530\ub974\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc740 \ub9ac\ub205\uc2a4 \ub514\ub809\ud1a0\ub9ac \uad6c\uc870\ub97c \uc608\uc0c1 \uac00\ub2a5\ud558\uac8c \uc0ac\uc6a9\ud558\uba70 \uc774\ub294 \uc218\ub9ce\uc740 \ub514\ub809\ud1a0\ub9ac\uc640 \ud30c\uc77c \uc18d\uc5d0\uc11c \uc5b4\ub290 \uc815\ub3c4 \uc815\ub9ac\ub41c \ubaa8\uc2b5\uc744 \uc720\uc9c0\ud560 \uc218 \uc788\uac8c \ud574\uc900\ub2e4. FHS\ub294 http:\/\/www.pathname.com\/fhs\uc5d0\uc11c \uad6c\ud560 \uc218 \uc788\ub2e4.XIW0pLyDnJ.pdf<\/a><\/p><\/blockquote>\n

 * psad \uad00\ub9ac<\/span><\/p>\n

 – psad \uc758 \uc2dc\uc791\uacfc \uc885\ub8cc<\/p>\n

 psad\uc758 \uc2dc\uc791\uacfc \uc885\ub8cc\ub294 \ub9e4\uc6b0 \uac04\ub2e8\ud558\ub2e4. init \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc0ac\uc6a9\ud558\uba74 \ub41c\ub2e4.\"\"
 psad\uac00 init \uc2a4\ud06c\ub9bd\ud2b8\ub97c \ud1b5\ud574 \uc2dc\uc791\ub418\uba74 \uc8fc psad \ub370\ubaac, kmsgsd, psadwatchd \uc640 \uac19\uc740 \uc138 \uac1c\uc758 \ub370\ubaac\ub3c4 \uc2dc\uc791\ub41c\ub2e4. kmsgsd \ub294 psad \uac00 iptables \ub85c\uadf8\ub97c \uc2e4\uc2dc\uac04\uc73c\ub85c \ubd84\uc11d\ud560 \uc218 \uc788\uac8c \/var\/lig\/psad\/psadfifo \uba85\uba85\ub41c \ud30c\uc774\ud504\ub85c\ubd80\ud130 \ubaa8\ub4e0 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uc77d\uc5b4 \uc640\uc11c \ubcc4\ub3c4\uc758 \ud30c\uc77c\uc778 \/var\/log\/psad\/fwdata \uc5d0 \uae30\ub85d\ud55c\ub2e4. \uc774\ub97c \ud1b5\ud574 psad \ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub9cc\uc744 \ud3ec\ud568\ud558\ub294 \ub370\uc774\ud130 \uc2a4\ud2b8\ub9bc\uc744 \uc81c\uacf5\ubc1b\ub294\ub2e4.<\/p>\n

 psad\ub294 \uc124\uce58 \uc2dc\uc5d0 \uc2dc\uc2a4\ud15c syslog \ub370\ubaac\uc774 info \uc6b0\uc120\uc21c\uc704\ub97c \uac00\uc9c0\ub294 \ubaa8\ub4e0 \ucee4\ub110 \uba54\uc2dc\uc9c0(\ub610\ub294 syslog \uc6a9\uc5b4\ub85c kern.info \uba54\uc2dc\uc9c0)\ub97c \uba85\uba85\ub41c \ud30c\uc774\ud504 \/var\/lib\/psad\/psadfifo \uc5d0 \uae30\ub85d\ud558\uac8c \uc7ac\uc124\uc815\ud55c\ub2e4.<\/p><\/blockquote>\n

 psadwatchd \ub370\ubaac\uc740 \ub2e8\uc21c\ud788 psad\uc640 kmsgsd \ub370\ubaac\uc774 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud558\uace0 \uadf8\ub807\uc9c0 \uc54a\uc73c\uba74 \uc774\ub4e4\uc744 \uc7ac\uc2dc\uc791\ud55c\ub2e4. psadwatchd \ub294 \ub450 \ub370\ubaac \uc911 \ud558\ub098\ub97c \uc7ac\uc2dc\uc791\ud574\uc57c \ud558\uba74 \/etc\/psad\/psad.conf \ud30c\uc77c\uc5d0 \uc788\ub294 \uba54\uc77c \uc8fc\uc18c\ub85c \uacbd\uace0 \uba54\uc77c\uc744 \uc804\uc1a1\ud55c\ub2e4.<\/p>\n

 – \ub370\ubaac \ud504\ub85c\uc138\uc2a4\uc758 \uc720\uc77c\uc131<\/p>\n

 psad \uac00 \uc2dc\uc791\ub418\uba74 \uc138 \uac1c\uc758 psad \ub370\ubaac\uc740 \uac01\uae30 \uc790\uc2e0\ub9cc\uc758 \ud504\ub85c\uc138\uc2a4 ID(PID)\ub97c \/var\/run\/psad \ub0b4\uc758 \ud30c\uc77c\uc5d0 \uae30\ub85d\ud55c\ub2e4. \uba85\ub839 \ud589\uc5d0\uc11c \uc218\ub3d9\uc73c\ub85c \ub370\ubaac\uc744 \uc2dc\uc791\ud558\uba74 \ud574\ub2f9 \ub370\ubaac\uc740 \uc6b0\uc120 \ub2e4\ub978 \uc778\uc2a4\ud134\uc2a4\uac00 \uc2e4\ud589 \uc911\uc778\uc9c0 \ud655\uc778\ud558\uace0 \uc2e4\ud589 \uc911\uc774\ub77c\uba74 \uc0c8\ub85c\uc6b4 \uc778\uc2a4\ud134\uc2a4\ub294 \ubc14\ub85c \uc885\ub8cc\ud55c\ub2e4. \uc774\ub97c \ud1b5\ud574 \uc774\ubbf8 \uc874\uc7ac\ud558\ub294 psad \ud504\ub85c\uc138\uc2a4\ub97c \uadf8\ub300\ub85c \uc720\uc9c0\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 – iptables \uc815\ucc45 \uc124\uc815<\/p>\n

 \uae30\ubcf8\uc801\uc73c\ub85c psad \ub294 \ub85c\uadf8 \ubd84\uc11d\uae30\ub2e4. psad \ub294 \uc790\uc2e0\uc774 \uc124\uce58\ub41c \uc2dc\uc2a4\ud15c\uc0c1\uc758 iptables \uc815\ucc45\uc774 \uae30\ub85d \ud6c4 \ubc84\ub9ac\uae30 \uc804\ub7b5\uc73c\ub85c \uc124\uc815\ub410\ub2e4\uace0 \uac00\uc815\ud55c\ub2e4. \uc774\ub294 iptables \uac00 \ub124\ud2b8\uc6cc\ud06c\uc758 \ub3d9\uc791\uc744 \uc704\ud574\uc11c \uaf2d \ud544\uc694\ud55c \ud328\ud0b7\ub9cc\uc744 \uc218\uc6a9\ud558\uac8c \ubcf4\uc7a5\ud574\uc8fc\uba70 \ub2e4\ub978 \ubaa8\ub4e0 \ud328\ud0b7\uc740 \uae30\ub85d \ud6c4 \ubc84\ub9b0\ub2e4. \ud3ec\ud2b8 \uc2a4\uce94, \ubc31\ub3c4\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc744 \uc704\ud55c \ud0d0\uc0ac, \uc2dc\uc2a4\ud15c\uc744 \uc804\ubcf5\uc2dc\ud0a4\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uba85\ub839, \uae30\ud0c0 \ubd88\ubc95\uc801\uc778 \uac71\ub4ef\uc774 \uc218\uc6a9 \uac00\ub2a5\ud55c \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d \ubaa9\ub85d\uc5d0\uc11c \uc81c\uc678\ub418\ubbc0\ub85c \uc774\ub7f0 \uc815\ucc45\uc73c\ub85c\ubd80\ud130 \ub098\uc628 iptables \uae30\ub85d\uc740 \ubcf4\ud1b5 \uc804\uc6a9 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc5d0 \uac00\uce58 \uc788\ub294 \ub370\uc774\ud130\ub97c \uc81c\uacf5\ud560 \uc218 \uc788\ub2e4.<\/p>\n

 psad\ub294 \ub85c\uceec iptables \uc815\ucc45\uc774 INPUT \uacfc FORWARD \uccb4\uc778 \ubaa8\ub450\uc5d0\uc11c \uae30\ubcf8 LOG\uc640 DROP \uaddc\uce59\uc73c\ub85c \uc124\uc815\ub410\ub294\uc9c0 \ud655\uc778\ud574\uc8fc\ub294 \uc790\ub3d9 \uae30\ubc95\uc744 \uc81c\uacf5\ud55c\ub2e4. \uc774 \uae30\ubc95\uc740 \/usr\/sbin\/fwcheck_psad \uc5d0 \uc704\uce58\ud55c \uc804\uc6a9 \uc2a4\ud06c\ub9bd\ud2b8\ub85c (psad \uc2e4\ud589 \uc2dc –no-fwcheck \uba85\ub839 \ud589 \uc2a4\uc704\uce58\ub97c \uc8fc\uac70\ub098 psad \uac00 \ubcc4\ub3c4\uc758 syslog \uc11c\ubc84\uc5d0\uc11c \uc2e4\ud589 \uc911\uc774\uc9c0 \uc54a\ub294 \ud55c) psad \uac00 \uc2dc\uc791\ud560 \ub54c \uc2e4\ud589\ud55c\ub2e4. fwcheck_psad \uc2a4\ud06c\ub9bd\ud2b8\ub294 IPTables::Parse \ud384 \ubaa8\ub4c8\uc744 \uc0ac\uc6a9\ud574 \ub85c\uceec iptables \uc815\ucc45\uc758 \ud45c\ud604(representation)\uc744 \uc5bb\uc5b4\uc624\uba70 LOG\uc640 DROP \uaddc\uce59\uc774 \ud3ec\ud568\ub410\ub294\uc9c0 \uc54c\uc544\ubcf4\uae30 \uc704\ud574 \uc774\ub97c \ud574\uc11d\ud55c\ub2e4. \ud3ec\ud568\ub3fc \uc788\uc9c0 \uc54a\ub2e4\uba74 psad\ub294 iptables \uc815\ucc45\uc774 \uc54c\ub9de\uac8c \uc124\uc815\ub418\uc9c0 \uc54a\uc558\ub2e4\ub294 \uac83\uc744 \uc54c\ub824\uc8fc\uae30 \uc704\ud574 \uc124\uc815 \uacbd\uace0 \uba54\uc77c\uc744 \uc804\uc1a1\ud55c\ub2e4.<\/p>\n

 iptables \uc815\ucc45\uc740 \ub9e4\uc6b0 \ubcf5\uc7a1\ud560 \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 \uc815\ucc45\uc774 \ub85c\uadf8\uc640 \ubc84\ub9ac\uae30 \uc804\ub7b5\uc744 \uac00\uc9c0\ub294\uc9c0 \uacb0\uc815\ud558\ub294\ub370\uc5d0 IPTables::Parse \ubaa8\ub4c8\uc758 \uad6c\ubb38 \ubd84\uc11d \uae30\ub2a5\uc774 \ud56d\uc0c1 \ucda9\ubd84\ud558\uc9c0\ub294 \uc54a\ub2e4. \uac80\uc0ac\uac00 \uc2e4\ud328\ud558\ub354\ub77c\ub3c4 psad\ub294 \uc5ec\uc804\ud788 \ub3d9\uc791\ud560 \uc218 \uc788\uc73c\uba70, psad\uc758 \ud6a8\uacfc\ub294 iptables\uac00 \uae30\ub85d\ud558\ub294 \ud328\ud0b7\uc758 \uc720\ud615\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9c4\ub2e4. \uc2e4\uc81c\ub85c SMB(\uc708\ub3c4\uc6b0\uc5d0\uc11c \uc0ac\uc6a9)\uc640 \uac19\uc740 \ud504\ub85c\ud1a0\ucf5c\uc740 \ud544\uc694 \uc5c6\ub294 \ub0b4\uc6a9\uc744 \ub108\ubb34 \ub9ce\uc774 \ud3ec\ud568\ud558\uae30 \ub54c\ubb38\uc5d0 \uae30\ub85c\ud558\uae30\uc5d0 \ubd80\uc801\uc808\ud558\uba70, \uc774\ub7f0 \ud504\ub85c\ud1a0\ucf5c\uc744 \ud1b5\ud574 \uc804\uc1a1\ub41c \ud328\ud0b7\uc740 \uc8fc\ub85c LOG \uaddc\uce59\uacfc \uc77c\uce58\ub420 \uc218 \uc788\uae30 \uc804\uc5d0 \ubc1b\uc544\ub4e4\uc774\uac70\ub098 \ubc84\ub9b0\ub2e4. fwcheck_psad \uac00 \uc62c\ubc14\ub85c \uad6c\ubb38 \ubd84\uc11d\ud560 \uc218 \uc5c6\uc744 \uc815\ub3c4\ub85c \ubcf5\uc7a1\ud55c iptables \uc815\ucc45\uc744 \uc2e4\ud589 \uc911\uc774\ub77c\uba74 \/etc\/psad\/psad.conf \uc758 ENABLE_FW_LOGGING_CHECK \ubcc0\uc218\ub97c N \uc73c\ub85c \uc124\uc815\ud574\uc11c \uc774 \uac80\uc0ac\ub97c \ube44\ud65c\uc131\ud654\ud560 \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n

 – syslog \uc124\uc815<\/p>\n

 \ud328\ud0b7\uc774 iptables \ub0b4\uc5d0\uc11c LOG \uaddc\uce59\uc5d0 \ub9e4\uce6d\ub418\uba74 \ucee4\ub110\uc740 \ucee4\ub110 \ub85c\uae45 \ub370\ubaac\uc778 klogd\ub97c \ud1b5\ud574 \uc774 \uc0ac\uc2e4\uc744 \ubcf4\uace0\ud55c\ub2e4. \uc774\ub807\uac8c \uc804\ub2ec\ub41c \ucee4\ub110 \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub294 \ubcf4\ud1b5 \ubcf4\uace0\uc11c \ud30c\uc77c\uc5d0 \uae30\ub85d\ub418\uae30 \uc704\ud574 \uba85\uba85\ub41c \ud30c\uc774\ud504\ub098 \ubc84\ud074\ub9ac \uc18c\ucf13 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud1b5\ud55c \ubcc4\ub3c4\uc758 \uc2dc\uc2a4\ud15c\uc73c\ub85c \uc804\ub2ec\ub41c\ub2e4. \uc774\ub294 \ubaa8\ub450 syslog \ub370\ubaac\uc774 \uc81c\uacf5\ud558\ub294 \uae30\ub2a5\uacfc syslog\uc774 \uc5b4\ub5bb\uac8c \uc124\uc815\ub410\ub294\uc9c0\uc5d0 \ub530\ub77c \ub2ec\ub77c\uc9c4\ub2e4.<\/p>\n

 syslogd\uc640 syslog-ng \ub370\ubaac\uc740 psad\uc640 \ud638\ud658\ub418\uba70, psad\ub294 metalog\ub3c4 \uc81c\ud55c\ub41c \ubc29\uc2dd\uc73c\ub85c \uc9c0\uc6d0\ud55c\ub2e4. syslogd\uc640 syslog-ng\ub294 \uba85\uba85\ub41c \ud30c\uc774\ud504\ub85c \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uae30\ub85d\ud560 \uc218 \uc788\uc73c\uba70, psad\ub294 \uc774\ub97c \uc774\uc6a9\ud558\uae30 \uc704\ud574 \ubaa8\ub4e0 kern.info \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 \uba85\uba85\ub41c \ud30c\uc774\ud504 \/var\/lib\/psad\/psadfifo\uc5d0 \uae30\ub85d\ub418\uac8c \uc124\uc815\ud55c\ub2e4. \uc774\uacf3\uc73c\ub85c \uc804\ub2ec\ub41c \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub294 kmsgsd\uac00 \uc774\uc6a9\ud55c\ub2e4. kmsgsd\ub294 psadfifo\ub97c \ud1b5\ud574 syslog \uba54\uc2dc\uc9c0\ub97c \ubc1b\uc73c\uba74 \uc774 syslog \uba54\uc2dc\uc9c0\uac00 iptables\uc5d0 \uc758\ud574 \uc0dd\uc131\ub410\ub2e4\ub294 \uac83\uc744 \ubcf4\uc7a5\ud558\uae30 \uc704\ud574 \ub450 \uac1c\uc758 \ubd80\ubd84 \ubb38\uc790\uc5f4(IN= \uacfc OUT=)\uc744 \ud3ec\ud568\ud558\ub294\uc9c0 \ud655\uc778\ud55c\ub2e4. \uba54\uc2dc\uc9c0\uac00 \uc774 \uac80\uc0ac\ub97c \ud1b5\uacfc\ud558\uba74 kmsgsd\ub294 \uc774\ub97c psad\uac00 \ubcfc \uc218 \uc788\uac8c \ud30c\uc77c \/var\/log\/psad\/fwdata\uc5d0 \uae30\ub85d\ud55c\ub2e4. \ub9ce\uc740 kern.info syslog \uba54\uc2dc\uc9c0\uac00 iptables\uc640 \uc544\ubb34\ub7f0 \uad00\uacc4\ub3c4 \uc5c6\ub294 \ucee4\ub110 \uc77c\ubd80\uc5d0 \uc758\ud574 \uc0dd\uc131\ub420 \uc218 \uc788\uc73c\uba70, kmsgsd\ub294 iptables \uba54\uc2dc\uc9c0\ub9cc\uc774 psad\uc5d0 \uc758\ud574 \ubd84\uc11d\ub418\uac8c \ubcf4\uc7a5\ud55c\ub2e4.<\/p>\n

 IN=\uacfc OUT= \ubb38\uc790\uc5f4\uc740 iptables LOG \ud0c0\uac9f\uc744 \ud1b5\ud574 \uae30\ub85d\ub41c \ud328\ud0b7\uc758 \uc785\ub825\uacfc \ucd9c\ub825 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ub098\ud0c0\ub0b8\ub2e4. \uc774\ub7ec\ud55c \ubb38\uc790\uc5f4\uc740 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc5d0 \ud56d\uc0c1 \ud3ec\ud568\ub41c\ub2e4.<\/p><\/blockquote>\n

 — syslogd
 syslogd\uac00 \uc124\uce58\ub41c \uc2dc\uc2a4\ud15c\uc5d0\uc11c psad\uac00 \uc2e4\ud589\uc911\uc774\ub77c\uba74 \uc124\uce58 \uc2dc \/etc\/syslog.conf \uc124\uc815 \ud30c\uc77c\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc740 \ub0b4\uc6a9\uc774 \ucd94\uac00\ub41c\ub2e4. \uc774\ub294 syslogd\uac00 kern.info \uba54\uc2dc\uc9c0\ub97c \/var\/lib\/psad\/psadfifo\uc5d0 \uae30\ub85d\ud558\uac8c \uc124\uc815\ud55c\ub2e4.
 \"\"<\/p>\n

 – whois \ud074\ub77c\uc774\uc5b8\ud2b8
 \ub9c8\ub974\ucf54 \ub514\ud2b8\ub9ac(Marco d’itri)\uac00 \ub9cc\ub4e0 \ud6cc\ub96d\ud55c whois(\ud6c4\uc774\uc988) \ud074\ub77c\uc774\uc5b8\ud2b8\uac00 psad \uc18c\uc2a4\uc640 \ud568\uaed8 \uc81c\uacf5\ub41c\ub2e4. \uc774 \ud074\ub77c\uc774\uc5b8\ud2b8\ub294 \uc8fc\uc5b4\uc9c4 IP \uc8fc\uc18c\uc5d0 \ub300\ud574 \uac70\uc758 \ud56d\uc0c1 \uc62c\ubc14\ub978 \ub137\ube14\ub85d(netblock)\uc744 \uc9c8\uc758\ud558\uba70, psad\ub294 (–no-whois \uba85\ub839 \ud589 \uc2a4\uc704\uce58\ub97c \uc8fc\uc9c0 \uc54a\ub294 \ud55c) IP \uc8fc\uc18c \uc18c\uc720 \uc815\ubcf4\ub97c \uc9c8\uc758\ud574\uc11c \uba54\uc77c \uacbd\uace0\uc5d0 \ud3ec\ud568\uc2dc\ud0a4\uae30 \uc704\ud574 \uc774 \ud074\ub77c\uc774\uc5b8\ud2b8\ub97c \uc774\uc6a9\ud55c\ub2e4. \uc774\ub7f0 \uc815\ubcf4\ub97c \uac00\uc9c0\uba74 \uc2a4\uce94\uc774\ub098 \uae30\ud0c0 \ub2e4\ub978 \uacf5\uaca9\uc774 \ud0d0\uc9c0\ub41c \ub124\ud2b8\uc6cc\ud06c\uc758 \uad00\ub9ac\uc790 \uc2dd\ubcc4 \uacfc\uc815\uc774 \ub2e8\uc21c\ud574\uc9c4\ub2e4. \uc608\ub97c \ub4e4\uc5b4 \uc6b0\ub9ac\ud559\uad50(http:\/\/www.kongju.ac.kr)\uc758 IP(203.253.33.6)\uc758 \uc8fc\uc18c\ub97c whois \ud0d0\uc9c0\ud558\uba74 \ub2e4\uc74c\uacfc \uac19\uc740 \uacb0\uacfc\uac00 \ub098\uc628\ub2e4.<\/p>\n

\"\"<\/p>\n

 * psad \uc124\uc815<\/span><\/p>\n

 \ubaa8\ub4e0 psad \ub370\ubaac\uc740 \/etc\/psad\uc5d0 \uc788\ub294 \ud30c\uc77c psad.conf\ub97c \ucc38\uc870\ud558\uba70, \uc774 \ud30c\uc77c\uc740 \uac04\ub2e8\ud55c \uaddc\uc57d\uc744 \ub530\ub978\ub2e4. \uc8fc\uc11d\uc740 # \uae30\ud638\ub85c \uc2dc\uc791\ud558\uba70 \uc124\uc815 \ub9e4\uac1c\ubcc0\uc218\ub294 \ud0a4-\uac12 \ud615\uc2dd\uc73c\ub85c \uba85\uc2dc\ud55c\ub2e4. \uc608\ub97c \ub4e4\uc5b4 psad.conf\uc758 HOSTNAME \ubcc0\uc218\ub294 psad\uac00 \uc124\uce58\ub41c \uc2dc\uc2a4\ud15c\uc758 \ud638\uc2a4\ud2b8\uba85\uc744 \uc815\uc758\ud55c\ub2e4.<\/p>\n

### Machine hostname
HOSTNAME                    extreme;<\/p><\/blockquote>\n

 \ubaa8\ub4e0 \uc124\uc815 \ubcc0\uc218 \uac12\uc740 \uac12\uc744 \uc758\ubbf8\ud558\ub294 \ubb38\uc790\uc5f4\uc758 \ub05d\uc744 \ub098\ud0c0\ub0b4\uae30 \uc704\ud574 \uc138\ubbf8\ucf5c\ub860\uc73c\ub85c \ub05d\ub098\uc57c \ud55c\ub2e4. \uadf8\ub7ec\ubbc0\ub85c \ub2e4\ub984\uacfc \uac19\uc774 \ubb38\uc11c\ud654\ub97c \uc704\ud574 \uc138\ubbf8\ucf5c\ub860 \ub2e4\uc74c\uc5d0 \uc8fc\uc11d\uc744 \ud3ec\ud568\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n

### This is used only if ENABLE_PERSISTENCE = “N”;
SCAN_TIMEOUT                3600;  ### seconds<\/p><\/blockquote>\n

 \ub05d\uc73c\ub85c psad \ubcc0\uc218 \uac12\uc740 psad\uac00 \uc124\uc815\uc744 \uad6c\ubb38 \ubd84\uc11d\ud560 \ub54c \ud655\uc7a5\ub418\ub294 \ud558\uc704 \ubcc0\uc218\ub97c \ud3ec\ud568\ud560 \uc218 \uc788\ub2e4. \uc608\ub97c \ub4e4\uc5b4 psad\uc758 \uc8fc\uc694 \ub85c\uae45 \ub514\ub809\ud1a0\ub9ac\ub294 PSAD_DIR \ubcc0\uc218\uac00 \uc815\uc758\ud558\uba70, \uae30\ubcf8\uc801\uc73c\ub85c \/var\/log\/psad\ub85c \uc124\uc815\ub41c\ub2e4. \ub2e4\ub978 \uc124\uc815 \ubcc0\uc218\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 PSAD_DIR \ubcc0\uc218\ub97c \ucc38\uc870\ud560 \uc218 \uc788\ub2e4.<\/p>\n

PSAD_ERR_DIR                $PSAD_DIR\/errs;<\/p><\/blockquote>\n

 – \/etc\/psad\/psad.conf
 psad.conf \ud30c\uc77c\uc740 psad\uc758 \uc8fc\uc694 \uc124\uc815 \ud30c\uc77c\ub85c psad \ub3d9\uc791\uc758 \ub2e4\uc591\ud55c \uba74\uc744 \uc81c\uc5b4\ud558\uae30 \uc704\ud55c 100\uac1c \uc774\uc0c1\uc758 \uc124\uc815 \ubcc0\uc218\ub97c \ud3ec\ud568\ud55c\ub2e4. <\/p>\n

 \uc124\uc815\uc5d0 \uad00\ud55c \ub354 \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 http:\/\/www.cipherdyne.org\/psad\/docs\/index.html \uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n

 — EMAIL_ADDRESSES
 EMAIL_ADDRESSES \ubcc0\uc218\ub294 psad\uac00 \uc2a4\uce94 \uacbd\uace0, \uc815\ubcf4 \uba54\uc2dc\uc9c0, \uae30\ud0c0 \uacf5\uc9c0\ub97c \uc804\uc1a1\ud560 \uba54\uc77c \uc8fc\uc18c\ub97c \uc815\uc758\ud55c\ub2e4. \ucf64\ub9c8\ub97c \uc0ac\uc6a9\ud574\uc11c \uc5ec\ub7ec \uac1c\uc758 \uba54\uc77c \uc8fc\uc18c\ub97c \ud568\uaed8 \ub098\ud0c0\ub0bc \uc218\ub3c4 \uc788\ub2e4.<\/p>\n

### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES             root@localhost;<\/p><\/blockquote>\n

—  DANGER_LEVEL{n}
 psad\ub294 \uacbd\uace0\uc5d0 \uc6b0\uc120\uc21c\uc704\ub97c \ub450\uae30 \uc704\ud574 \uc545\uc758\uc801\uc778 \ubaa8\ub4e0 \ud65c\ub3d9\uc744 \uc704\ud5d8 \uc218\uc900\uc5d0 \ub530\ub77c \ub098\ub208\ub2e4. \uc704\ud5d8 \uc218\uc900\uc740 1\uc5d0\uc11c 5\uae4c\uc9c0(5\uac00 \uac00\uc7a5 \uc548 \uc88b\uc740 \uac83)\uc774\uba70, \uacf5\uaca9\uc774\ub098 \uc2a4\uce94\uc774 \ud0d0\uc9c0\ub41c \uac01 IP \uc8fc\uc18c\uc5d0 \ud560\ub2f9\ub41c\ub2e4. \uc704\ud5d8 \uc218\uc900 \uac12\uc740 \uc2a4\uce94\uc758 \ud2b9\uc131(\ud328\ud0b7 \uc218, \ud3ec\ud2b8 \ubc94\uc704, \uc2dc\uac04 \uac04\uaca9), \ud2b9\uc815 \ud328\ud0b7\uc774 \/etc\/psad\/signatures \ud30c\uc77c\uc5d0 \uc815\uc758\ub41c \uc11c\uba85\uacfc \uc77c\uce58\ud558\ub294\uc9c0 \uc5ec\ubd80, \ud328\ud0b7\uc774 \/etc\/psad\/auto_dl \ud30c\uc77c\uc5d0 \uc788\ub294 IP\ub098 \ub124\ud2b8\uc6cc\ud06c\ub85c\ubd80\ud130 \uc2dc\uc791\ub410\ub294\uc9c0 \uc5ec\ubd80\uc640 \uac19\uc740 \uc138 \uac00\uc9c0 \uc694\uc18c\uc5d0 \uae30\ubc18\ud574 \ud560\ub2f9\ub41c\ub2e4.<\/p>\n

 \ud3ec\ud2b8 \uc2a4\uce94\uc758 \uacbd\uc6b0 \uc2a4\uce94\uc758 \ud328\ud0b7 \uc218\uc5d0 \ub530\ub77c DANGER_LEVEL{n} \ubcc0\uc218 \uac12\uc774 \ub2ec\ub77c\uc9c0\uba70, psad.conf \ud30c\uc77c\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc774 \uc815\uc758\ub3fc \uc788\ub2e4.<\/p>\n

### Danger levels.  These represent the total number of
### packets required for a scan to reach each danger level.
### A scan may also reach a danger level if the scan trips
### a signature or if the scanning ip is listed in
### auto_ips so a danger level is automatically
### assigned.
DANGER_LEVEL1               5;    ### Number of packets.
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;<\/p><\/blockquote>\n

 — HOME_NET
 psad\ub294 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uc744 \ud0d0\uc9c0\ud558\uae30 \uc704\ud574 \uc218\uc815\ub41c \uc2a4\ub178\ud2b8 \uaddc\uae30\uc744 \uc0ac\uc6a9\ud558\uae30 \ub54c\ubb38\uc5d0 psad.conf \ud30c\uc77c\uc5d0\uc11c psad\uac00 \uc0ac\uc6a9\ud558\ub294 \ubcc0\uc218\ub294 \uc2a4\ub178\ud2b8\uac00 \uc0ac\uc6a9\ud558\ub294 \ubcc0\uc218\uc640 \uc720\uc0ac\ud558\ub2e4. HOME_NET \ubcc0\uc218\ub294 \uc2e4\ud589 \uc911\uc778 psad\uac00 \uc124\uce58\ub41c \uc2dc\uc2a4\ud15c\uc758 \ub85c\uceec \ub124\ud2b8\uc6cc\ud06c\ub97c \uc815\uc758\ud55c\ub2e4. \uadf8\ub7ec\ub098 psad\uc640 \uc2a4\ub178\ud2b8\uac00 HOME_NET \ubcc0\uc218\ub97c \ucc98\ub9ac\ud558\ub294 \ub370\uc5d0\ub294 \ud55c\uac00\uc9c0 \ucc28\uc774\uc810\uc774 \uc788\ub2e4. psad\ub294 INPUT \uccb4\uc778\uc5d0 \uae30\ub85d\ub41c \ubaa8\ub4e0 \ud328\ud0b7\uc758 \ubaa9\uc801\uc9c0\ub97c \ucd9c\ubc1c\uc9c0 \uc8fc\uc18c\uc640 \ubb34\uad00\ud558\uac8c \ud648 \ub124\ud2b8\uc6cc\ud06c\ub85c \ucde8\uae09\ud55c\ub2e4. \uc774\ub294 iptables \ubc29\ud654\ubcbd \uc790\uccb4\uc5d0\uc11c \ub77c\uc6b0\ud305\ub410\uae30 \ub54c\ubb38\uc774\ub2e4. ENABLE_INTF_LOCAL \ubcc0\uc218\ub97c N\uc73c\ub85c \uc124\uc815\ud574\uc11c \uc774\ub7ec\ud55c \ub3d9\uc791\uc744 \uc7ac\uc815\uc758\ud560 \uc218 \uc788\ub2e4.<\/p>\n

### Specify the home and external networks.  Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
#@@ the HOME_NET variable.
HOME_NET                    any;
EXTERNAL_NET                any;<\/p><\/blockquote>\n

 — EXTERNAL_NET
 EXTERNAL_NET \ubcc0\uc218\ub294 \uc678\ubd80 \ub124\ud2b8\uc6cc\ud06c\ub97c \uc815\uc758\ud55c\ub2e4. \uae30\ubcf8 \uac12\uc740 any \uc774\uc9c0\ub9cc HOME_NET \ubcc0\uc218\ucc98\ub7fc \uc784\uc758\uc758 \ub124\ud2b8\uc6cc\ud06c \ubaa9\ub85d\uc73c\ub85c \uc124\uc815\ud560 \uc218 \uc788\ub2e4. \ub300\ubd80\ubd84\uc758 \uacbd\uc6b0 \uae30\ubcf8 \uac12\uc774 \uac00\uc7a5 \uc88b\uc744 \uac83\uc774\ub2e4.<\/p>\n

 — SYSLOG_DAEMON
 SYSLOG_DAEMON \ubcc0\uc218\ub294 psad \uc5d0\uac8c \ub85c\uceec \uc2dc\uc2a4\ud15c\uc5d0\uc11c \uc2e4\ud589 \uc911\uc778 syslog \ub370\ubaac\uc774 \ubb34\uc5c7\uc778\uc9c0 \uc54c\ub824\uc900\ub2e4. \uc774 \ubcc0\uc218\ub294 syslogd, syslog-ng, ulogd, metalog \uc911 \ud558\ub098\uc758 \uac12\uc744 \uac00\uc9c4\ub2e4. psad\ub294 \uc774 \ubcc0\uc218 \uac12\uc744 \uc774\uc6a9\ud574\uc11c \ud574\ub2f9 syslog \uc124\uc815 \ud30c\uc77c\uc774 kern.info \uba54\uc2dc\uc9c0\ub97c \uba85\uba85\ub41c \ud30c\uc774\ud504 \/var\/lib\/psad\/psadfifo\uc5d0 \uae30\ub85d\ud558\uac8c \uc801\uc808\ud788 \uc124\uc815\ub410\ub294\uc9c0 \ud655\uc778\ud55c\ub2e4. \ub2e8, psad\uac00 ulogd\ub97c \ud1b5\ud574 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uc5bb\ub294 \uacbd\uc6b0\ub294 \uc608\uc678\uc778\ub370 ulogd\uac00 \uba54\uc2dc\uc9c0\ub97c \uc9c1\uc811 \ub514\uc2a4\ud06c\uc5d0 \uae30\ub85d\ud558\uae30 \ub54c\ubb38\uc5d0 syslog \ub370\ubaac\uc774 \uc2e4\ud589 \uc911\uc774\uc9c0 \uc54a\uc544\ub3c4 \ub41c\ub2e4. \uc774 \uacbd\uc6b0 psad\ub294 kmsgsd \ub370\ubaac\uc744 \uc2dc\uc791\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n

### Set the type of syslog daemon that is used.  The SYSLOG_DAEMON
### variable accepts four possible values: syslogd, syslog-ng, ulogd,
### or metalog.
SYSLOG_DAEMON               syslogd;<\/p><\/blockquote>\n

 — CHECK_INTERVAL
 psad\ub294 \ub300\ubd80\ubd84\uc758 \uc2dc\uac04\uc744 \ub300\uae30\ud558\uba74\uc11c \ubcf4\ub0b4\uba70 \uc0c8\ub85c\uc6b4 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 \/var\/log\/psad\/fwdata \ud30c\uc77c\uc5d0 \uae30\ub85d\ub420 \ub54c\ub9cc \ud65c\uc131\ud654\ub41c\ub2e4. \ud655\uc778 \uc2dc\uac04 \uac04\uaca9\uc744 CHECK_INTERVAL \ubcc0\uc218\ub85c \uc815\uc758\ud558\uba70 \ucd08\ub85c \ub098\ud0c0\ub0b8\ub2e4. \uae30\ubcf8 \uac12\uc740 5\ucd08\ub2e4. \uc774 \uac04\uaca9\uc740 \ucd5c\uc18c 1\ucd08\uae4c\uc9c0 \uc124\uc815\ud560 \uc218 \uc788\uc9c0\ub9cc \uacbd\uace0\uac00 \ucd5c\ub300\ud55c \ube68\ub9ac \uc0dd\uc131\ub418\uae38 \uc6d0\ud558\ub294 \uacbd\uc6b0\uac00 \uc544\ub2c8\ub77c\uba74 \ubcf4\ud1b5 \uc774\ub807\uac8c \uc791\uc740 \uac12\uc73c\ub85c \uc124\uc815\ud560 \ud544\uc694\ub294 \uc5c6\ub2e4.<\/p>\n

### Set the interval (in seconds) psad will use to sleep before
### checking for new iptables log messages
CHECK_INTERVAL              5;<\/p><\/blockquote>\n

  — SCAN_TIMEOUT
 \uae30\ubcf8\uc801\uc73c\ub85c SCAN_TIMEOUT \ubcc0\uc218\ub294 3600\ucd08(1\uc2dc\uac04)\ub85c \uc124\uc815\ub418\uba70 psad\ub294 \uc774 \uac12\uc744 \uc2a4\uce94\uc774 \ucd94\uc801\ub418\ub294 \uc2dc\uac04 \uac04\uaca9\uc73c\ub85c \uc0ac\uc6a9\ud55c\ub2e4. \uc989, \ud2b9\uc815 IP \uc8fc\uc18c\uc5d0\uc11c \uc545\uc758\uc801\uc778 \ud2b8\ub798\ud53d\uc774 \uc774 \uc2dc\uac04 \uac04\uaca9\ub3d9\uc548 \uc704\ud5d8 \uc218\uc900 1\uc5d0 \ub3c4\ub2ec\ud558\uc9c0 \uc54a\uc73c\uba74 psad\ub294 \uacbd\uace0\ub97c \uc0dd\uc131\ud558\uc9c0 \uc54a\ub294\ub2e4. ENABLE_PERSISTENCE\ub97c Y\ub85c \uc124\uc815\ud558\uba74 psad\ub294 SCAN_TIMEOUT \ubcc0\uc218\ub97c \ubb34\uc2dc\ud55c\ub2e4.<\/p>\n

### This is used only if ENABLE_PERSISTENCE = “N”;
SCAN_TIMEOUT                3600;  ### seconds<\/p><\/blockquote>\n

 — ENABLE_PERSISTENCE
 \ud3ec\ud2b8 \uc2a4\uce94 \ud0d0\uc9c0 \uc18c\ud504\ud2b8\uc6e8\uc5b4\ub294 \uc77c\ubc18\uc801\uc73c\ub85c \ud3ec\ud2b8 \uc2a4\uce94\uc744 \uc7a1\uae30 \uc704\ud574 \ub450 \uac1c\uc758 \uc784\uacc4\uce58\ub97c \uc124\uc815\ud574\uc57c \ud558\ub294\ub370, \uc870\uc0ac\ub418\ub294 \ud3ec\ud2b8 \uc218\uc640 \uc2dc\uac04 \uac04\uaca9\uc774 \uadf8\uac83\uc774\ub2e4. \uacf5\uaca9\uc790\ub294 \uc2a4\uce94\ub418\ub294 \ud3ec\ud2b8\uc758 \uc218\ub97c \uc904\uc774\uac70\ub098 \uc2a4\uce94\uc758 \uc18d\ub3c4\ub97c \uc904\uc5ec\uc11c \ud3ec\ud2b8 \uc2a4\uce94\uc774 \uc774 \uc784\uacc4\uce58\uc5d0 \ub3c4\ub2ec\ud558\uc9c0 \uc54a\uac8c \ud560 \uc218 \uc788\ub2e4. ENABLE_PERSISTENCE \ubcc0\uc218\ub294 psad\uac00 SCAN_TIMEOUT \ubcc0\uc218\ub97c \uc2a4\uce94 \ud0d0\uc9c0\uc758 \uc694\uc18c\ub85c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uac8c \ud574\uc900\ub2e4. \uc774\ub294 \uc2a4\uce90\ub108\uac00 \uc218\uc77c\uc774\ub098 \uc218\uc8fc\uc5d0 \uac78\uccd0 \ubaa9\ud45c \uc2dc\uc2a4\ud15c\uc744 \ucc9c\ucc9c\ud788 \uc2a4\uce94\ud568\uc73c\ub85c\uc368 \uc2dc\uac04 \ub9cc\ub8cc \uc784\uacc4\uce58\ubcf4\ub2e4 \ub0ae\uc740 \uc218\uc900\uc5d0 \uba38\ubb3c\uac8c \ud558\ub824\ub294 \uc2dc\ub3c4\ub97c \ubb34\ub825\ud654\ud558\ub294 \ub370 \uc720\uc6a9\ud558\ub2e4. \uc2a4\uce94\uc774 \ucd5c\uc18c DANGER_LEVEL1 \ubcc0\uc218\uc5d0 \uc758\ud574 \uc815\uc758\ub41c \ud328\ud0b7\uc218\uc5d0 \ub3c4\ub2ec\ud558\uba74(\uc774 \uc218\uc5d0 \ub3c4\ub2ec\ud558\ub294 \ub370 \uac78\ub9b0 \uc2dc\uac04\uc774 \uc5bc\ub9c8\ub098 \uae34\uc9c0\uc5d0 \ubb34\uad00\ud558\uac8c) psad\ub294 \uacbd\uace0\ub97c \uc804\uc1a1\ud55c\ub2e4.<\/p>\n

### If “Y”, means that scans will never timeout.  This is useful
### for catching scans that take place over long periods of time
### where the attacker is trying to slip beneath the IDS thresholds.
ENABLE_PERSISTENCE          Y;<\/p><\/blockquote>\n

 — PORT_RANGE_SCAN_THRESHOLD
 \uc774 \ubcc0\uc218\ub97c \ud1b5\ud574 psad\uac00 \uc704\ud5d8 \uc218\uc900\uc744 \ud3ec\ud2b8 \uc2a4\uce94\uc5d0 \ud560\ub2f9\ud558\uae30 \uc804\uc5d0 \uc2a4\uce94\ub3fc\uc57c \ud558\ub294 \ud3ec\ud2b8\uc758 \ucd5c\uc18c \ubc94\uc704\ub97c \uc815\uc758\ud560 \uc218 \uc788\ub2e4. \uae30\ubcf8\uc801\uc73c\ub85c PORT_RANGE_SCAN_THRESHOLD\ub294 1\ub85c \uc124\uc815\ub418\uba70, \uc774\ub294 \uc704\ud5d8 \uc218\uc900 1\uc5d0 \uc774\ub974\uae30 \uc804\uc5d0 \ucd5c\uc18c\ud55c \ub450 \uac1c\uc758 \uc11c\ub85c \ub2e4\ub978 \ud3ec\ud2b8\uac00 \uc2a4\uce94\ub3fc\uc57c \ud568\uc744 \uc758\ubbf8\ud55c\ub2e4. \ud55c IP \uc8fc\uc18c\uac00 \ud55c \ud3ec\ud2b8\ub9cc\uc744 \ubc18\ubcf5\uc801\uc73c\ub85c \uc2a4\uce94\ud560 \uc218 \uc788\ub294\ub370, \uc774 \uacbd\uc6b0 psad\ub294 \uacbd\uace0\ub97c \uc804\uc1a1\ud558\uc9c0 \uc54a\ub294\ub2e4(\ucd5c\uc18c \uc704\ud5d8 \uc218\uc900 1\uc774 \ud560\ub2f9\ub418\uc9c0 \uc54a\uc740 \ud65c\ub3d9\uc5d0 \ub300\ud574\uc11c\ub294 \uc808\ub300 \uacbd\uace0\uac00 \uc804\uc1a1\ub418\uc9c0 \uc54a\uc73c\uba70, psad\uc5d0\uc11c\ub294 \uacbd\uace0\uac00 \uc804\uc1a1\ub418\ub294 \ucd5c\uc18c \uc704\ud5d8 \uc218\uc900\uc744 1\uc5d0\uc11c 5\uae4c\uc9c0\ub85c \uc124\uc815\ud560 \uc218 \uc788\ub2e4. “EMAIL_ALERT_DANGER_LEVEL” \ucc38\uc870). psad\uac00 \uc2a4\uce94\ub418\ub294 \ud3ec\ud2b8\uc758 \ubc94\uc704\ub97c \ud0d0\uc9c0 \uc694\uc18c\ub85c \uc0ac\uc6a9\ud558\uac8c \ud558\uace0 \uc2f6\uc9c0 \uc54a\ub2e4\uba74 PORT_RANGE_SCAN_THRESHOLD\ub97c 0\uc73c\ub85c \uc124\uc815\ud558\uba74 \ub41c\ub2e4.<\/p>\n

### Set the minimum range of ports that must be scanned before
### psad will send an alert.  The default is 1 so that at
### least two port must be scanned (p2-p1 >= 1).  This can be set
### to 0 if you want psad to be extra paranoid, or 30000 if not.
PORT_RANGE_SCAN_THRESHOLD   1;<\/p><\/blockquote>\n

 — EMAIL_ALERT_DANGER_LEVEL
 \uc774 \ubcc0\uc218\ub294 \uc5b4\ub5a4 IP \uc8fc\uc18c\uac00 \ucd5c\uc18c \uc774 \uac12\uacfc \ub3d9\uc77c\ud55c \uc704\ud5d8 \uc218\uc900\uc73c\ub85c \ud560\ub2f9\ub418\uc9c0 \uc54a\ub294 \ud55c psad\uac00 \uba54\uc77c \uacbd\uace0\ub97c \uc804\uc1a1\ud558\uc9c0 \uc54a\uac8c \ud558\ub294 \uc704\ud5d8 \uc218\uc900\uc758 \ucd5c\uc18c \uac12\uc744 \uc124\uc815\ud558\ub294 \ub370 \uc4f0\uc778\ub2e4. \uae30\ubcf8 \uac12\uc740 1\uc774\ub2e4.<\/p>\n

### Only send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL    1;<\/p><\/blockquote>\n

 — MIN_DANGER_LEVEL
 MIN_DANGER_LEVEL \uc784\uacc4\uce58\ub294 psad\uac00 \uc218\ud589\ud558\ub294 \ubaa8\ub4e0 \uacbd\uace0\uc640 \ucd94\uc801\uae30\ub2a5\uc744 \uc704\ud55c \uc804\uc5ed \uc784\uacc4\uce58\ub2e4. \uc608\ub97c \ub4e4\uc5b4 MIN_DANGER_LEVEL\uc774 2\ub85c \uc124\uc815\ub418\uba74 psad\ub294 \ud2b9\uc815 IP \uc8fc\uc18c\uac00 \uc704\ud5d8 \uc218\uc900 2\uc5d0 \ub3c4\ub2ec\ud558\uae30 \uc804\uc5d0\ub294 \uc774\ub97c \/var\/log\/psad\/ip \ub514\ub809\ud1a0\ub9ac\uc5d0 \uae30\ub85d\ud558\uc9c0\ub3c4 \uc54a\ub294\ub2e4. \uadf8\ub7ec\ubbc0\ub85c MIN_DANGER_LEVEL \ubcc0\uc218\ub294 \ud56d\uc0c1 EMAIL_ALERT_DANGER_LEVEL \ubcc0\uc218\uc758 \uac12\ubcf4\ub2e4 \uc791\uac70\ub098 \uac19\uac8c \uc124\uc815\ud574\uc57c \ud55c\ub2e4. \uae30\ubcf8 MIN_DANGER_LEVEL \uac12\uc740 1\uc774\ub2e4.<\/p>\n

### Minimum danger level a scan must reach before any logging or
### alerting is done.  The EMAIL_ALERT_DANGER_LEVEL variable below
### only refers to email alerts; the MIN_DANGER_LEVEL variable
### applies to everything from email alerts to whether or not the
### IP directory is created within \/var\/log\/psad\/.  Hence
### MIN_DANGER_LEVEL should be set less than or equal to the value
### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
MIN_DANGER_LEVEL            1;<\/p><\/blockquote>\n

 — SHOW_ALL_SIGNATURES
 \uc774 \ubcc0\uc218\ub294 psad\uac00 \ubaa8\ub4e0 \uacbd\uace0\uc5d0\uc11c IP \uc8fc\uc18c\uc640 \uad00\ub828\ub41c \ubaa8\ub4e0 \uc11c\uba85 \uacbd\uace0 \uc815\ubcf4\ub97c \ud3ec\ud568\ud558\uac8c \ud560\uc9c0 \uc5ec\ubd80\ub97c \uacb0\uc815\ud55c\ub2e4. \uc774 \ubcc0\uc218\ub97c \ud65c\uc131\ud654\ud560 \uacbd\uc6b0 \ud2b9\uc815 IP \uc8fc\uc18c\uac00 \uc624\uc0c8\ub3d9\uc548 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud2b8\ub798\ud53d\uc73c\ub85c \ud55c \uc0ac\uc774\ud2b8\uc5d0 \uc811\uc18d\ud560 \ub54c \ub9e4\uc6b0 \uae34 \uba54\uc77c \uacbd\uace0\uac00 \ucd08\ub798\ub420 \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 \uc774\ub294 \uae30\ubcf8\uc801\uc73c\ub85c \ube44\ud65c\uc131\ud654\ub41c\ub2e4. \uadf8\ub7ec\ub098 SHOW_ALL_SIGNATURES\uac00 \ube44\ud65c\uc131\ud654\ub41c \uacbd\uc6b0\uc5d0\ub3c4 psad \uba54\uc77c \uacbd\uace0\ub294 \ub9c8\uc9c0\ub9c9 CHECK_INTERVAL\uc5d0\uc11c \uc0c8\ub85c \ucd09\ubc1c\ub41c \uc11c\uba85\uc740 \ubaa8\ub450 \ud3ec\ud568\ud55c\ub2e4.<\/p>\n

### If “Y”, means all signatures will be shown since
### the scan started instead of just the current ones.
SHOW_ALL_SIGNATURES         N;<\/p><\/blockquote>\n

 — ALERT_ALL
 \uc774 \ubcc0\uc218\uac00 Y\ub85c \uc124\uc815\ub418\uba74 psad\ub294 \uc5b4\ub5a4 IP \uc8fc\uc18c\ub85c\ubd80\ud130\uc758 \uc0c8\ub85c\uc6b4 \uc545\uc758\uc801\uc778 \ud65c\ub3d9\uc774 \uc704\ud5d8 \uc218\uc900 1\uc5d0 \ub3c4\ub2ec\ud558\ub294 \ud55c \uc774\ub7ec\ud55c \ud65c\ub3d9\uc774 \ud0d0\uc9c0\ub420 \ub54c\ub9c8\ub2e4 \uba54\uc77c\uc774\ub098 syslog \uacbd\uace0, \ub610\ub294 \ub458 \ubaa8\ub450\ub97c \uc0dd\uc131\ud55c\ub2e4. N\uc73c\ub85c \uc124\uc815\ub418\uba74 IP \uc8fc\uc18c\uc5d0 \ud560\ub2f9\ub41c \uc704\ud5d8 \uc218\uc900\uc774 \uc99d\uac00\ud560 \ub54c\ub9cc \uacbd\uace0\ub97c \uc0dd\uc131\ud55c\ub2e4.<\/p>\n

### If “Y”, send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
ALERT_ALL                   Y;<\/p><\/blockquote>\n

 — SNORT_SID_STR
 \uc774 \ubcc0\uc218\ub294 \uc5b4\ub5a4 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 \uc2a4\ub178\ud2b8 \uaddc\uce59 \ud558\ub098\ub97c \uc644\uc804\ud558\uac8c \uae30\uc220\ud558\ub294 iptables \uaddc\uce59\uc5d0 \uc758\ud574 \uc0dd\uc131\ub410\ub294\uc9c0 \uc54c\uc544\ubcf4\uae30 \uc704\ud574 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc640 \ub9e4\uce6d\uc2dc\ud0ac \ubd80\ubd84 \ubb38\uc790\uc5f4\uc744 \uc815\uc758\ud55c\ub2e4. \uc774\ub7f0 iptables \uaddc\uce59\uc740 fwsnort\uac00 \uc0dd\uc131\ud558\uba70 \uc77c\ubc18\uc801\uc73c\ub85c \ub85c\uae45 \uc811\ub450\uc5b4 SID{n}\uc744 \ud3ec\ud568\ud55c\ub2e4. \uc5ec\uae30\uc11c {n}\uc740 \uc6d0\ubcf8 \uc2a4\ub178\ud2b8 \uaddc\uce59\uc5d0\uc11c \uc5bb\uc740 \uc2a4\ub178\ud2b8 ID \ubc88\ud638\ub2e4. SNORT_SID_STR\uc758 \uae30\ubcf8 \uac12\uc740 \ub2e8\uc21c\ud788 SID\ub2e4.<\/p>\n

### Search for snort “sid” values generated by fwsnort
### or snort2iptables
SNORT_SID_STR               SID;<\/p><\/blockquote>\n

 — ENABLE_AUTO_IDS
 \uc774 \ubcc0\uc218\ub294 Y\ub85c \uc124\uc815\ub418\ub294 \uacbd\uc6b0 psad\ub97c \uc218\ub3d9\uc801 \ubaa8\ub2c8\ud130\ub9c1 \ub370\ubaac\uc5d0\uc11c, (INPUT \uccb4\uc778\uacfc OUTPUT \uccb4\uc778\uc744 \ud1b5\ud574) \ub85c\uceec \uc2dc\uc2a4\ud15c\uacfc (FORWARD \uccb4\uc778\uc744 \ud1b5\ud574) \ub85c\uceec \uc2dc\uc2a4\ud15c\uc5d0 \uc758\ud574 \ubcf4\ud638\ub418\ub294 \ubaa8\ub4e0 \uc2dc\uc2a4\ud15c\uacfc \uc5f0\ub3d9\ud574\uc11c \uacf5\uaca9\uc790 IP \uc8fc\uc18c\ub97c \ucc28\ub2e8\ud558\uae30 \uc704\ud574 \ub85c\uceec iptables \uc815\ucc45\uc744 \ub3d9\uc801\uc73c\ub85c \uc7ac\uc124\uc815\ud568\uc73c\ub85c\uc368 \uacf5\uaca9\uc5d0 \ub2a5\ub3d9\uc801\uc73c\ub85c \uc751\ub2f5\ud558\ub294 \ud504\ub85c\uadf8\ub7a8\uc73c\ub85c \ubcc0\ud658\ud55c\ub2e4.<\/p>\n

### If “Y”, enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS             N;<\/p><\/blockquote>\n

 — IMPORT_OLD_SCANS
 psad\uac00 \ud3ec\ud2b8 \uc2a4\uce94\uacfc \uae30\ud0c0 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud65c\ub3d9\uc5d0 \ub300\ud574 \uc218\uc9d1\ud558\ub294 \uc815\ubcf4\ub294 \/var\/log\/psad \ub514\ub809\ud1a0\ub9ac\uc5d0 \uae30\ub85d\ub41c\ub2e4. \uc704\ud5d8 \uc218\uc900 1\uc5d0 \ub3c4\ub2ec\ud55c \ubaa8\ub4e0 IP \uc8fc\uc18c\uc5d0 \ub300\ud574 \uc0c8 \ub514\ub809\ud1a0\ub9ac \/var\/log\/psad\/ip\uac00 \uc0dd\uc131\ub41c\ub2e4. \uc774 \ub514\ub809\ud1a0\ub9ac\uc5d0 \uc800\uc7a5\ub418\ub294 \ub2e4\uc591\ud55c \ud30c\uc77c\uc5d0\ub294 \uac00\uc7a5 \ucd5c\uadfc\uc758 \uba54\uc77c \uacbd\uace0, whois \ucd9c\ub825, \uc11c\uba85 \ub9e4\uce6d, \uc704\ud5d8 \uc218\uc900, \ud328\ud0b7 \uc218\uac00 \ud3ec\ud568\ub41c\ub2e4. \ucc98\uc74c \uc2dc\uc791 \uc2dc psad\ub294 \ubcf4\ud1b5 \uae30\uc874\uc758 \/var\/log\/psad\/ip \ub514\ub809\ud1a0\ub9ac\ub97c \uc81c\uac70\ud558\uc9c0\ub9cc IMPORT_OLD_SCANS\ub97c Y\ub85c \uc124\uc815\ud574\uc11c \uae30\uc874\uc758 \ub514\ub809\ud1a0\ub9ac\ub85c\ubd80\ud130 \ubaa8\ub4e0 \ub370\uc774\ud130\ub97c \uac00\uc838\uc62c \uc218 \uc788\ub2e4. \uc774 \uae30\ub2a5\uc744 \ud1b5\ud574 \uc774\uc804 psad \uc778\uc2a4\ud134\uc2a4\uc758 \uc2a4\ud0ec \ub370\uc774\ud130\ub97c \uc783\uc9c0 \uc54a\uace0 psad\ub97c \uc7ac\uc2dc\uc791\ud558\uac70\ub098 \uc804\uccb4 \uc2dc\uc2a4\ud15c\uc744 \uc7ac\ubd80\ud305\ud560 \uc218 \uc788\ub2e4.<\/p>\n

### If “Y”, then psad will import old scan source ip directories
### as current scans instead of moving the directories into the
### archive directory.
IMPORT_OLD_SCANS            Y;<\/p><\/blockquote>\n

 — ENABLE_DSHIELD_ALERTS
 \uc774 \ubcc0\uc218\ub97c Y\ub85c \uc124\uc815\ud558\uba74 psad\ub294 \uc2a4\uce94 \ub370\uc774\ud130\ub97c DSHield \ubd84\uc0b0 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc73c\ub85c \uc804\uc1a1\ud55c\ub2e4. \uc2a4\uce94 \uc815\ubcf4\ub294 \ubbfc\uac10\ud55c \uc815\ubcf4\uc77c \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 \uc2a4\uce94 \ub370\uc774\ud130\ub97c DShield\ub85c \ub118\uae30\uba74 \ud574\ub2f9 \uc2a4\uce94 \ub370\uc774\ud130\ub294 \ub354 \uc774\uc0c1 \uc5ec\ub7ec\ubd84\uc758 \uc81c\uc5b4 \ud558\uc5d0 \uc788\uc9c0 \uc54a\uc73c\uba70 \uc0c1\ub300\uc801\uc73c\ub85c \uc5f4\ub9b0 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub85c \uad6c\ubb38 \ubd84\uc11d\ub41c\ub2e4\ub294 \uc810\uc744 \uc54c\uc544\uc57c \ud55c\ub2e4. \uadf8\ub7ec\ub098 DShield\ub294 \uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \uacf5\uaca9\ub2f9\ud558\ub294 \uc11c\ube44\uc2a4\ub098 \ud604\uc7ac \ub300\ubd80\ubd84\uc758 \uc2dc\uc2a4\ud15c\uc744 \uacf5\uaca9\ud558\ub294 \uc5b4\ub5a4 IP \uc8fc\uc18c\uac00 \ubb34\uc5c7\uc778\uc9c0(\uc774\ub7f0 IP \uc8fc\uc18c\ub294 \uc5c4\uaca9\ud55c \ubc29\ud654\ubcbd \uaddc\uce59\uc758 \uc88b\uc740 \ud6c4\ubcf4\uac00 \ub41c\ub2e4)\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \uc0ac\uc6a9\uc790\uac00 \uc880 \ub354 \uc798 \uc774\ud574\ud560 \uc218 \uc788\uac8c \ud574\uc900\ub2e4. \ud544\uc790(\ub9c8\uc774\ud074 \ub798\uc26c)\ub294 DShield\ub85c \uc2a4\uce94 \uc815\ubcf4\ub97c \uc804\uc1a1\ud558\uba74 \uc548 \ub41c\ub2e4\ub294 \uc5c4\uaca9\ud55c \uc694\uad6c\uc0ac\ud56d(\uc608\ub97c \ub4e4\uc5b4 \uc0ac\uc774\ud2b8 \ubcf4\uc548 \uc815\ucc45\uc5d0\uc11c \uc774\ub97c \uac15\uc81c\ud560 \uc218 \uc788\ub2e4)\uc774 \uc5c6\ub294 \ud55c psad\uc5d0\uc11c \uc774 \uae30\ub2a5\uc744 \ud65c\uc131\ud654\ud560 \uac83\uc744 \uac15\ub825\ud788 \uad8c\uc7a5\ud55c\ub2e4. \ub9ce\uc740 \uc0ac\ub78c\ub4e4\uc774 \uc774 \uae30\ub2a5\uc744 \ud65c\uc131\ud654\ud560\uc218\ub85d \uc778\ud130\ub137\uc740 \uc880 \ub354 \uc548\uc815\ud574\uc9c4\ub2e4.<\/p>\n

### Send scan logs to dshield.org.  This is disabled by default,
### but is a good idea to enable it (subject to your site security
### policy) since the DShield service helps to track the bad guys.
### For more information visit http:\/\/www.dshield.org
ENABLE_DSHIELD_ALERTS       Y;<\/p><\/blockquote>\n

 — IGNORE_PORTS
 \ub9ce\uc740 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc758 \uc8fc\uc694 \uae30\ub2a5\uc740 \uad00\ub9ac\uc790\uac00 IDS\ub85c \ud558\uc5ec\uae08 \uc644\uc804\ud788 \ubb34\uc2dc\ud558\uac8c \ud558\uace0 \uc2f6\uc740 \ub370\uc774\ud130 \uc870\uac01\uc744 \ud544\ud130\ub9c1\ud558\ub294 \uae30\ub2a5\uc774\ub2e4. IGNORE_PORTS \ubcc0\uc218\ub294 psad\uac00 \ubaa9\uc801\uc9c0 \ud3ec\ud2b8 \ubc88\ud638\uc640 \ud504\ub85c\ud1a0\ucf5c(TCP\ub098 UDP)\uc5d0 \uae30\ubc18\ud574\uc11c iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \ubb34\uc2dc\ud558\uac8c \ud55c\ub2e4. \ud3ec\ud2b8 \ubc88\uc704\uc640 \ub2e4\uc911 \ud3ec\ud2b8, \ud504\ub85c\ud1a0\ucf5c \uc870\ud569\uc740 \ub2e4\uc74c\uacfc \uac19\uc774 \uc9c0\uc815\ud560 \uc218 \uc788\ub2e4.<\/p>\n

### define a set of ports to ignore (this is useful particularly
### for port knocking applications since the knock sequence will
### look to psad like a scan).  This variable may be defined as
### a comma-separated list of port numbers or port ranges and
### corresponding protocol,  For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
### IGNORE_PORTS        tcp\/61000-61356, udp\/53, udp\/5000;
IGNORE_PORTS                NONE;<\/p><\/blockquote>\n

 — IGNORE_PROTOCOLS
 IGNORE_PROTOCOLS \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uba74 psad\ub294 \uc804\uccb4 \ud504\ub85c\ud1a0\ucf5c\uc744 \ubb34\uc2dc\ud560 \uc218 \uc788\ub2e4. \ub300\uac1c\ub294 iptables \uc815\ucc45\uc744 \uc870\uc815\ud574\uc11c \ubb34\uc2dc\ud558\uace0 \uc2f6\uc740 \ud504\ub85c\ud1a0\ucf5c\uc744 \uae30\ub85d\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \ub354 \uc88b\uc9c0\ub9cc \uc608\ub97c \ub4e4\uc5b4 psad\uac00 \ubaa8\ub4e0 ICMP \ud328\ud0b7\uc744 \ubb34\uc2dc\ud558\uac8c \ud558\uace0 \uc2f6\ub2e4\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 IGNORE_PROTOCOLS\ub97c \uc124\uc815\ud558\uba74 \ub41c\ub2e4.<\/p>\n

### allow entire protocols to be ignored.  This keyword can accept
### a comma separated list of protocols.  Each protocol must match
### the protocol that is specified in a Netfilter log message (case
### insensitively, so both “TCP” or “tcp” is ok).
### IGNORE_PROTOCOL             tcp,udp;
IGNORE_PROTOCOLS            icmp;<\/p><\/blockquote>\n

 — IGNORE_LOG_PREFIXES
 iptables \uc815\ucc45\uc740 \ub9e4\uc6b0 \ubcf5\uc7a1\ud560 \uc218 \uc788\uc73c\uba70, \ub2e4\uc218\uc758 \uc5ec\ub7ec \uac00\uc9c0 \ub85c\uae45 \uaddc\uce59\uc744 \ud3ec\ud568\ud560 \uc218 \uc788\ub2e4. \ub610 \uac01 \ub85c\uae45 \uaddc\uce59\uc740 \uc790\uc2e0\ub9cc\uc758 \ub85c\uae45 \uc811\ub450\uc5b4\ub97c \uac00\uc9c8 \uc218\ub3c4 \uc788\ub2e4. psad\uac00 \ud2b9\uc815 \ub85c\uae45 \uc811\ub450\uc5b4(\uc608\ub97c \ub4e4\uc5b4 DROP:INPUT5:eth1)\ub97c \ubb34\uc2dc\ud558\uac8c \ud558\uace0 \uc2ed\ub2e4\uba74 IGNORE_LOG_PREFIXES\ub97c \ub2e4\uc74c\uacfc \uac19\uc774 \uc124\uc815\ud558\uba74 \ub41c\ub2e4.<\/p>\n

### Ignore these specific logging prefixes
IGNORE_LOG_PREFIXES         DROP:INPUT5:eth1;<\/p><\/blockquote>\n

 — EMAIL_LIMIT
 \uc5b4\ub5a4 \uacbd\uc6b0\uc5d0\ub294 Iptables \uc815\ucc45\uc774 \ud2b9\uc815 \ud2b8\ub798\ud53d\uc744 \uae30\ub85d\ud558\uac8c \uc124\uc815\ub418\ub294\ub370, \uc774 \ud2b8\ub798\ud53d\uc774 \ub124\ud2b8\uc6cc\ud06c\uc0c1\uc5d0\uc11c \uc5ec\ub7ec \ubc88 \ubc18\ubcf5\ub420 \uc218 \uc788\ub2e4(\uc608\ub97c \ub4e4\uc5b4 \ud2b9\uc815 DNS \uc11c\ubc84\ub85c\uc758 DNS \uc694\uccad). \uc774\ub7ec\ud55c \ud2b8\ub798\ud53d\uc774 \uc2a4\uce94\uc774\ub77c\uace0 \ud574\uc11d\ub418\uba74 \ud574\ub2f9 \ud2b8\ub798\ud53d \uc790\uccb4\uac00 \ubc18\ubcf5\ub418\uae30 \ub54c\ubb38\uc5d0 psad\ub294 \uc774 \ud2b8\ub798\ud53d\uc5d0 \ub300\ud574 \ub2e4\ub7c9\uc758 \uba54\uc77c \uacbd\uace0\ub97c \uc804\uc1a1\ud560 \uc218 \uc788\ub2e4. EMAIL_LIMIT \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud558\uba74 psad\uac00 \uc2a4\uce90\ub2dd IP \uc8fc\uc18c\uc5d0 \ub300\ud574 \uc804\uc1a1\ub418\ub294 \uba54\uc77c \uacbd\uace0\uc758 \uc218\uc5d0 \uc81c\ud55c\uc744 \ub450\uac8c \uac15\uc81c\ud560 \uc218 \uc788\ub2e4. \uae30\ubcf8 \uac12\uc740 0\uc73c\ub85c \uc774\ub294 \uc81c\ud55c\uc774 \uc5c6\ub2e4\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4. \uadf8\ub7ec\ub098 EMAIL_LIMIT \uac12\uc744 50\uc73c\ub85c \uc124\uc815\ud558\uba74 psad\ub294 \ud2b9\uc815 IP \uc8fc\uc18c\uc5d0 \ub300\ud574 50\uac1c \uc774\uc0c1\uc758 \uba54\uc77c \uacbd\ub85c\ub97c \uc804\uc1a1\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n

### Send no more than this number of emails for a single
### scanning source IP.  Note that enabling this feature may cause
### alerts for real attacks to not be generated if an attack is sent
### after the email threshold has been reached for an IP address.
### This is why the default is set to “0”.
EMAIL_LIMIT                 50;<\/p><\/blockquote>\n

 — ALERTING_METHODS
 \ub300\ubd80\ubd84\uc758 \uad00\ub9ac\uc790\ub294 psad\uac00 \uc81c\uacf5\ud558\ub294 \uba54\uc77c\uacfc syslog \ubcf4\uace0 \ubaa8\ub4dc\ub97c \ubaa8\ub450 \uc0ac\uc6a9\ud55c\ub2e4. \uadf8\ub7ec\ub098 ALERTING_METHODS \ubcc0\uc18c\ub97c \uc774\uc6a9\ud558\uba74 psad\uac00 \uba54\uc77c \uacbd\uace0\uc640 syslog \uacbd\uace0 \uc911 \uc5b4\ub5a4 \uac83\uc744 \uc0dd\uc131\ud558\uac8c \ud560\uc9c0 \uc81c\uc5b4\ud560 \uc218 \uc788\ub2e4. ALERTING_METHODS \ubcc0\uc218\ub294 noemail, nosyslog, ALL\uacfc \uac19\uc740 \uc138 \uac00\uc9c0 \uac12\uc744 \uac00\uc9c8 \uc218 \uc788\ub2e4. noemail\uacfc nosyslog \uac12\uc740 psad\uac00 \uba54\uc77c\uc774\ub098 syslog \uacbd\uace0\ub97c \uc804\uc1a1\ud558\uc9c0 \uc54a\uac8c \ud55c\ub2e4. \uc774 \uac12\ub4e4\uc744 \uc870\ud569\ud574\uc11c \ubaa8\ub4e0 \uacbd\uace0\ub97c \ube44\ud65c\uc131\ud654\ud560 \uc218\ub3c4 \uc788\ub2e4. \uae30\ubcf8 \uac12\uc740 \ub458 \ubaa8\ub450\ub97c \uc0dd\uc131\ud558\ub294 \uac83\uc774\ub2e4.<\/p>\n

### Allow reporting methods to be enabled\/restricted.  This keyword can
### accept values of “nosyslog” (don’t write any messages to syslog),
### “noemail” (don’t send any email messages), or “ALL” (to generate both
### syslog and email messages).  “ALL” is the default.  Both “nosyslog”
### and “noemail” can be combined with a comma to disable all logging
### and alerting.
ALERTING_METHODS            ALL;<\/p><\/blockquote>\n

 — FW_MSG_SEARCH
 FW_MSG_SEARCH \ubcc0\uc218\ub294 psad\uac00 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uc5b4\ub5bb\uac8c \uac80\uc0c9\ud560 \uc9c0 \uc815\uc758\ud55c\ub2e4. psad\uac00 (iptables\uc5d0 \uc8fc\ub294 –log-prefix \uc778\uc790\ub97c \uc0ac\uc6a9\ud574 iptables LOG \uaddc\uce59\uc5d0 \uc815\uc758\ub41c) \ud2b9\uc815 \ub85c\uadf8 \uc811\ub450\uc5b4\ub97c \ud3ec\ud568\ud558\ub294 \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub9cc\uc744 \ubd84\uc11d\ud558\uac8c \uc81c\ud55c\ud558\ub824\uba74 FW_MSG_SEARCH \ubcc0\uc218\ub85c \uc811\ub450\uc5b4\ub97c \uc815\uc758\ud558\uba74 \ub41c\ub2e4. iptables\ub294 \ud328\ud0b7\uc5d0 FW_MSG_SEARCH \ubcc0\uc218 \uac12\uacfc \ub2e4\ub978 \ub85c\uadf8 \uc811\ub450\uc5b4\ub97c \ud560\ub2f9\ud558\uac8c \uc124\uc815\ud560 \uc218 \uc788\uc73c\uba70 \uc774 \uacbd\uc6b0 psad\ub294 \ud574\ub2f9 \ud328\ud0b7\uc744 \ubd84\uc11d\ud558\uc9c0 \uc54a\ub294\ub2e4.
 \uc608\ub97c \ub4e4\uc5b4 psad\uac00 \ubb38\uc790\uc5f4 DROP\uc744 \ud3ec\ud568\ud558\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub9cc\uc744 \ubd84\uc11d\ud558\uac8c \ud558\ub824\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 FW_MSG_SEARCH \ubcc0\uc218\ub97c \uc124\uc815\ud558\uba74 \ub41c\ub2e4.<\/p>\n

### The FW_MSG_SEARCH variable can be modified to look for logging messages
### that are specific to your firewall configuration (specified by the
### “–log-prefix” option.  For example, if your firewall uses the
### string “Audit” for packets that have been blocked, then you could
### set FW_MSG_SEARCH to “Audit”;  The default string to search for is
### “DROP”.  Both psad and kmsgsd reference this file.  NOTE: You can
### specify this variable multiple times to have psad search for multiple
### strings.  For example to have psad search for the strings “Audit” and
### “Reject”, you would use the following two lines:
#FW_MSG_SEARCH               Audit;
#FW_MSG_SEARCH               REJECT;
FW_MSG_SEARCH               DROP;<\/p><\/blockquote>\n

 – \/etc\/psad\/auto_dl
 \ubaa8\ub4e0 IDS\ub294 \ud56d\uc0c1 \ub192\uc740 \ud655\ub960\ub85c \uae0d\uc815 \uc624\ub958\ub97c \ubc94\ud55c\ub2e4. \uadf8\ub7ec\ubbc0\ub85c IDS\ub294 \ud2b9\uc815 \uc2dc\uc2a4\ud15c, \ub124\ud2b8\uc6cc\ud06c, \ud504\ud1a0\ud1a0\ucf5c\uc774 \ubaa8\ub4e0 \ud0d0\uc9c0 \ub3d9\uc791\uacfc (\uac00\uc7a5 \uc911\uc694\ud558\uac8c\ub294) \uc790\ub3d9\ud654\ub41c \ubaa8\ub4e0 \uc751\ub2f5 \uae30\ub2a5\uc5d0\uc11c \uc81c\uc678\ub420 \uc218 \uc788\uac8c \ud574\uc8fc\ub294 \ud5c8\uc6a9 \ubaa9\ub85d \uae30\ub2a5\uc744 \uac16\ucdb0\uc57c \ud55c\ub2e4. \ub610 \ud2b9\uc815 IP \uc8fc\uc18c\ub098 \ub124\ud2b8\uc6cc\ud06c\uac00 \uacf5\uaca9\uc790\ub85c \uc54c\ub824\uc9c8 \uc218\ub3c4 \uc788\uc73c\ubbc0\ub85c \uc774\ub4e4\uc744 \ucc28\ub2e8\ud560 \ucc28\ub2e8 \ubaa9\ub85d \uae30\ub2a5\ub3c4 \ud544\uc694\ud558\ub2e4.<\/p>\n

 \uc774\ub7ec\ud55c \uc694\uad6c\uc0ac\ud56d\uc740 \ub2e4\uc74c\uacfc \uac19\uc740 \uad6c\ubb38\uc744 \ub530\ub974\ub294 psad\uc758 auto_dl \ud30c\uc77c\uc774 \ucda9\uc871\uc2dc\ud0a8\ub2e4.<\/p>\n

#  <IP address>  <danger level>  <optional protocol>\/<optional ports>;<\/p><\/blockquote>\n

 \uc704\ud5d8 \uc218\uc900\uc774 0\uc73c\ub85c \uc124\uc815\ub418\uba74 psad\ub294 \ud574\ub2f9 IP \uc8fc\uc18c\ub098 \ub124\ud2b8\uc6cc\ud06c\ub97c \uc644\uc804\ud788 \ubb34\uc2dc\ud55c\ub2e4. \ubc18\ub300\ub85c \ud2b9\uc815 IP \uc8fc\uc18c\ub098 \ub124\ud2b8\uc6cc\ud06c\uac00 \uadf9\ub3c4\ub85c \uc545\uc758\uc801\uc774\ub77c\uace0 \uc54c\ub824\uc9c0\ub294 \uacbd\uc6b0\uc5d0\ub294 \uc704\ud5d8 \uc218\uc900\uc744 5\ub85c \uc124\uc815\ud560 \uc218 \uc788\ub2e4.<\/p>\n

# Examples:
#
#  10.111.21.23    5;          # Very bad IP.
#  127.0.0.1       0;          # Ignore this IP.
#  10.10.1.0\/24    0;          # Ignore traffic from this entire class C.
#  192.168.10.4    3    tcp;   # Assign danger level 3 if protocol is tcp.
#  10.10.1.0\/24    3    tcp\/1-1024;  # Danger level 3 for tcp port range<\/p><\/blockquote>\n

 – \/etc\/psad\/signatures
 \/etc\/psad\/signatures \ud30c\uc77c\uc740 \uc57d\uac04 \uc218\uc815\ub41c \uc2a4\ub178\ud2b8 \uaddc\uce59\uc744 \uc57d 200\uac1c \uc815\ub3c4 \ud3ec\ud568\ud55c\ub2e4. \uc774 \uaddc\uce59\ub4e4\uc744 psad\uac00 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub85c\ubd80\ud130 \ubc14\ub85c \ud0d0\uc9c0\ud560 \uc218 \uc788\ub294 \uacf5\uaca9\uc744 \ub098\ud0c0\ub0b8\ub2e4. \uc774 \uaddc\uce59 \uc911 \uc5b4\ub5a4 \uac83\ub3c4 \ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uc5d0 \ub300\ud55c \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \uac80\uc0ac\ub97c \ud544\uc694\ub85c \ud558\uc9c0 \uc54a\ub294\ub2e4. \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \uac80\uc0ac\ub294 fwsnort\uac00 \uc218\ud589\ud55c\ub2e4. \uc774 \ud30c\uc77c\uc5d0 \uc788\ub294 \uaddc\uce59\uc744 \ud558\ub098 \uc608\ub85c \ub4e4\uba74 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n

alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:”DDOS Trin00 Daemon to Master”; reference:arachnids,187; reference:url,www.sans.org\/resources\/idfaq\/trinoo.php; classtype:attempted-recon; psad_dsize:>2; psad_id:100002; psad_dl:2; psad_derived_sids:223,231,232;)<\/p><\/blockquote>\n

 – \/etc\/psad\/snort_rule_dl
 \/etc\/psad\/auto_dl\uacfc \uc720\uc0ac\ud558\uac8c snort_rule_dl \ud30c\uc77c\uc740 psad\uac00 \uc2a4\ub178\ud2b8 \uaddc\uce58\uace0\uac00 \ub9e4\uce6d\ub418\ub294 \ubaa8\ub4e0 IP \uc8fc\uc18c\uc758 \uc704\ud5d8 \uc218\uc900\uc744 \uc790\ub3d9\uc73c\ub85c \uc124\uc815\ud558\uac8c \ud55c\ub2e4. \uc774 \ud30c\uc77c\uc758 \uad6c\ubb38\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n

# Syntax: Each non-comment line of this file contains a snort ID number, and
#         the corresponding psad danger level like so: <sid> <danger level>.<\/p><\/blockquote>\n

 \uc704\ud5d8 \uc218\uc900\uc774 0\uc774\ub77c\uba74 psad\ub294 \ud574\ub2f9 \uc11c\uba85 \ub9e4\uce6d\uc744 \ubb34\uc2dc\ud558\uace0 \uc5b4\ub5a4 \uacbd\uace0\ub3c4 \uc804\uc1a1\ud558\uc9c0 \uc54a\ub294\ub2e4. \uc77c\ubd80 \uc11c\uba85 \ub9e4\uce6d\uc740 \ub2e4\ub978 \uac83\ubcf4\ub2e4 \ub354 \uc548 \uc88b\uc744 \uc218 \uc788\ub2e4. \uc608\ub97c \ub4e4\uc5b4 psad\uac00 \uc2a4\ub178\ud2b8 \uaddc\uce59 ID 1812(EXPLOIT gobbles SSH exploit attempt)\uc640 \ub9e4\uce6d\ub418\ub294 \ud2b8\ub798\ud53d\uc744 \ud0d0\uc9c0 \ud588\ub2e4\uba74 \uc774\ub294 \uc7a0\uc7ac\uc801\uc73c\ub85c \uc2a4\ub178\ud2b8 \uaddc\uce59 ID 469(ICMP PING MAP)\uc5d0 \ub300\ud55c \ub9e4\uce6d\ubcf4\ub2e4 \ud6e8\uc52c \ub354 \uc704\ud5d8\ud558\ub2e4. \ubb3c\ub860 \uace0\ube14\uc2a4(Gobbles) SSH \uacf5\uaca9\uc758 \ud6a8\uacfc\ub97c \uc81c\ud55c\ud558\ub294 \uac00\uc7a5 \uc88b\uc740 \uc804\ub7b5\uc740 \uc560\ucd08\uc5d0 \ucde8\uc57d\ud55c SSH \ub370\ubaac\uc744 \uc2e4\ud589\ud558\uc9c0 \uc54a\ub294 \uac83\uc774\uc9c0\ub9cc \uc774 \uacf5\uaca9\uc744 \ud0d0\uc9c0\ud558\ub294 \uac83\uc740 \uc5ec\uc804\ud788 \uc911\uc694\ud558\ub2e4. \ub2e4\uc74c\uacfc \uac19\uc774 \uc2a4\ub178\ud2b8 \uaddc\uce59 2284\uc640 \ub9e4\uce6d\ub418\ub294 IP \uc8fc\uc18c\uc758 \uc704\ud5d8 \uc218\uc900\uc744 5\ub85c \uc124\uc815\ud560 \uc218 \uc788\ub2e4.<\/p>\n

### The following example illustrates the syntax for Snort SID 2284
2284   5;<\/p><\/blockquote>\n

 – \/etc\/psad\/ip_options
 IP \ud5e4\ub354\uc758 \uc635\uc158 \ubd80\ubd84\uc774 IP \ud1b5\uc2e0\uc5d0\uc11c \uc790\uc8fc \uc0ac\uc6a9\ub418\uc9c0\ub294 \uc54a\uc9c0\ub9cc iptables\ub294 –log-ip-options \uba85\ub839 \ud589 \uc778\uc790\ub97c \uc774\uc6a9\ud574\uc11c IP \uc635\uc158\uc744 \uae30\ub85d\ud560 \uc218 \uc788\ub2e4. iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uac00 IP \uc635\uc158\uc744 \ud3ec\ud568\ud558\ub294 \uacbd\uc6b0 psad\ub294 \uc18c\uc2a4 \ub77c\uc6b0\ud305(source routing) \uc2dc\ub3c4\uc640 \uac19\uc740 \uc218\uc0c1\ud55c \ud65c\ub3d9\uc5d0 \ub300\ud574 \uc774 \uc635\uc158\uc744 \uad6c\ubb38 \ubd84\uc11d\ud55c\ub2e4. \uc77c\ubd80 \uc2a4\ub178\ud2b8 \uaddc\uce59\uc740 IP \uc635\uc158\uc758 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \uc0ac\uc6a9\uc744 \uc815\uc758\ud558\uba70, psad\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc758 IP \uc635\uc158\uc744 \ud574\uc11d\ud558\uae30 \uc704\ud574 \/etc\/psad\/ip_options \ud30c\uc77c\uc744 \ucc38\uc870\ud55c\ub2e4. \uc774 \ud30c\uc77c\uc740 \ub2e4\uc74c \uad6c\ubb38\uc5d0 \ub530\ub77c \uc77c\ubc18\uc801\uc73c\ub85c \uc0ac\uc6a9\ub418\ub294 IP \uc635\uc158\uacfc \uc774\uc5d0 \ub300\uc751\ub418\ub294 \uc2dd\ubcc4 \ubc88\ud638\ub97c \uc815\uc758\ud55c\ub2e4.<\/p>\n

#  <option value> <length (-1 for variable)> <ipopts argument> <description><\/p><\/blockquote>\n

 \uc544\ub798\ub294 \uc774\ub97c \ud65c\uc6a9\ud55c \uc608\ubb38\uc774\ub2e4.<\/p>\n

#  <option value> <length (-1 for variable)> <ipopts argument> <description>
0    1   eol         End of options list
1    1   nop         NOP
130  11  sec         Security
131  -1  lsrr        Loose Source Route
### (lsrre is included in Snort but not documented anywhere else)
132  -1  lsrre       Loose Source Route
68   -1  ts          Timestamp<\/p><\/blockquote>\n

 – \/etc\/psad\/pf.os
 psad\ub294 \uc6d0\uaca9 \uc6b4\uc601\uccb4\uc81c\ub97c \uc218\ub3d9\uc801\uc73c\ub85c \ud551\uac70 \ud504\ub9b0\ud305\ud558\uae30 \uc704\ud574 p0f \ud504\ub85c\uc81d\ud2b8\uc758 OS \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc0ac\uc6a9\ud55c\ub2e4. \uc774 \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub294 psad\uac00 \/etc\/psad\/pf.os \ud30c\uc77c\uc5d0 \uc124\uce58\ud558\uba70, psad\ub294 \ucc98\uc74c \uc2dc\uc791\ud560 \ub54c(\ub610\ub294 Psad\uac00 kill \uba85\ub839\uc5b4\ub098 psad -H\ub97c \ud1b5\ud574 \uc911\ub2e8(hangup)\uc774\ub098 HUP \uc2e0\ud638\ub97c \ubc1b\uc558\uc744 \ub54c) \uc774\ub97c \ubd88\ub7ec\uc628\ub2e4.<\/p>\n

 \ub2e4\uc74c\uc740 \ub9ac\ub205\uc2a4\uc5d0 \ub300\ud55c p0f \ud551\uac70\ud504\ub9b0\ud2b8\uc758 \uc608\ub2e4.<\/p>\n

# S1:64:0:44:M*:A:              Linux:1.2::Linux 1.2.x (XXX quirks support)
512:64:0:44:M*:                 Linux:2.0:3x:Linux 2.0.3x
16384:64:0:44:M*:               Linux:2.0:3x:Linux 2.0.3x<\/p><\/blockquote>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

 * \uc5ed\uc0ac  psad \uc18c\ud504\ud2b8\uc6e8\uc5b4 \ud504\ub85c\uc81d\ud2b8\ub294 1999\ub144 \uac00\uc744, \ubc14\uc2a4\ud2f0\uc720 \uac1c\ubc1c\ud300\uc774 \ubc14\uc2a4\ud2f0\uc720\uac00 \uacbd\ub7c9\uc758 \ub124\ud2b8\uc6cc\ud06c \uce68\uc785 \ud0d0\uc9c0 \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc81c\uacf5\ud574\uc57c \ud55c\ub2e4\uace0 \uacb0\uc815\ud588\uc744 \ub54c Bastille \ub9ac\ub205\uc2a4\uc758 \uc77c\ubd80\ub85c \uc2dc\uc791\ud588\ub2e4. \ub2f9\uc2dc \ud53c\ud130 \uc653\ud0a8\uc2a4\ub294 \uc9c0\uae08\uae4c\uc9c0\ub3c4 Bastille \uc640 \ud568\uaed8 \uc81c\uacf5\ub418\ub294 \ub9e4\uc6b0 \ub6f0\uc5b4\ub09c \ubc29\ud654\ubcbd \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uac1c\ubc1c \uc911\uc774\uc5c8\uc73c\ubbc0\ub85c \ubc29\ud654\ubcbd \ub85c\uadf8\uac00 \uc81c\uacf5\ud558\ub294 … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[52],"tags":[311,531],"_links":{"self":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts\/765"}],"collection":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=765"}],"version-history":[{"count":0,"href":"http:\/\/pchero21.com\/index.php?rest_route=\/wp\/v2\/posts\/765\/revisions"}],"wp:attachment":[{"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=765"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pchero21.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}