cipherdyne.org

Michael Rash, Security Researcher



Software Release - psad-2.0.2

psad-2.0.2 release The 2.0.2 release of psad is ready for download. This release makes a few new features available such as the ability to download the latest psad signatures with the install.pl script, and the addition of the "CipherDyne RPM Builder" script cd_rpmbuilder to make it easy to automatically build RPM files on a local system. Also, a few bugs were fixed - particularly with the handling of the HOME_NET variable. Here is the ChangeLog:
  • Added print statements for @INC array in debug mode so that the user can see the additional /usr/lib/psad/* directories added by import_psad_perl_modules().
  • Changed Unix::Syslog import strategy from "use" to "require" since the path is not known until import_psad_perl_modules() gets a chance to run (psad ran fine without this, but it is more consistent this way).
  • Added the ability to download the latest signatures from cipherdyne.org in install.pl.
  • Added the cd_rpmbuilder script to make it easy to build RPM's out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/.
  • Bugfix for not properly including elements of the @connected_subnets_cidr array.
  • IP subnet bugfix to make sure to get the entire subnet in signature import routine if it is not in CIDR format
  • Bugfix to not print an IP addresses in the "top attackers" section that do not have at least one packet or signature match (for any reason).
  • Bugfix to not print more than TOP_IP_LOG_THRESHOLD IP addresses in thet top attackers section.
  • Updated install.pl to reference configuration paths directly from psad.conf instead of defining them separately. This should fix Debian bug #403566.
  • Added -c argument to install.pl so that the path to a psad.conf file can be altered from the command line.
  • Bugfix to not import any IP from the top_attackers file from a previous psad run that does not have a /var/log/psad/<ip> directory.
  • Added MIN_DANGER_LEVEL to allow all alerts and /var/log/psad/<ip> tracking to be disabled unless an attacker reaches at least this danger level.
  • Added text in install.pl to mention ifconfig parsing for HOME_NET derivation.