Michael Rash, Security Researcher

Software Release - psad-2.1

psad-2.1 released The 2.1 release of psad is ready for download. This release completes the 2.0.x development series with a few minor bugfixes and the addition of a patch against iptables to enforce trailing spaces in log prefixes. Here is the ChangeLog:
  • Changed EMAIL_LIMIT model to apply to scanning source addresses only instead of also factoring in the destination address. The original src/dst email limit behavior can be restored by setting a new variable "ENABLE_EMAIL_LIMIT_PER_DST" to "Y".
  • Added the patches/iptables-1.3.8_LOG_prefix_space.patch file which can be applied to the iptables-1.3.8 code to enforce a trailing space character before any log prefix when a LOG rule is added. This ensures that the user cannot break the iptables syslog format just by forgetting to include a space at the end of a logging prefix.
  • Bugfix to ensure that parsing TCP options does not descend into an infinite loop in some some circumstances with obscure or maliciously constructed options. Also added syslog reporting for broken options lengths of zero or one byte (the minimum option length is two bytes to accomodate the TLV encoding).
  • Bugfix to enforce the usage of --CSV-fields in --gnuplot mode.
  • Implemented --get-next-rule-id so that it is easy to assign a new rule ID to a new signature in the /etc/psad/signatures file.
  • Updated to just call die() if GetOpt fails; this allows erroneous usage of the command line to display informative error messages more clearly.