Many people have old syslog files that contain iptables log data lying around on their systems. By using psad in forensics mode, these old logfiles can be used to inform you of suspicious traffic that took place in the past against your system. This information can become particularly helpful if you are trying to track down a real intrusion and want to see what IP addresses may have been scanning your system around the time of a compromise. To run psad in forensics mode, use the
-A command-line switch as shown in bold in Listing 7-2 (some output has been abbreviated):
psad -A[+] Entering analysis mode. Parsing /var/log/messages [+] Found 8804 iptables log messages out of 10000 total lines. [+] Processed 1600 packets... ...