changes since psad-2.2
authorMichael Rash <mbr@cipherdyne.org>
Thu, 3 Jan 2013 04:16:50 +0000 (23:16 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Thu, 3 Jan 2013 04:16:50 +0000 (23:16 -0500)
ChangeLog.git [new file with mode: 0644]

diff --git a/ChangeLog.git b/ChangeLog.git
new file mode 100644 (file)
index 0000000..0dcc914
--- /dev/null
@@ -0,0 +1,368 @@
+commit 98debf7924cfaae1541e7684f7ec3ac30e3eaaf7 (HEAD, refs/heads/master)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Wed Jan 2 23:12:43 2013 -0500
+
+    minor date update for psad-2.2.1 release
+
+ ChangeLog |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit da758cc9fffdc49bbf4ccf2236761e0f85da1f25
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Tue Jan 1 22:23:18 2013 -0500
+
+    bumped version to 2.2.1
+
+ VERSION                               |    2 +-
+ nf2csv                                |    2 +-
+ packaging/psad-nodeps.spec            |    5 ++++-
+ packaging/psad-require-makemaker.spec |    5 ++++-
+ packaging/psad.spec                   |    5 ++++-
+ psad                                  |    4 ++--
+ 6 files changed, 16 insertions(+), 7 deletions(-)
+
+commit 996ef41711b48643029c31c7d5c7e7cd9a9d035b
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Tue Jan 1 22:20:00 2013 -0500
+
+    Added EMAIL_THROTTLE for email throttling
+    
+    Added the ability to throttle emails generated by psad via a new
+    EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
+    is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
+    many emails for each scanning IP as it would have normally.  This feature
+    was suggested by Naji Mouawad.
+
+ CREDITS                                          |    4 ++++
+ ChangeLog                                        |   10 +++++++++-
+ psad                                             |   10 +++++++++-
+ psad.conf                                        |    8 ++++++++
+ test/conf/auto_blocking.conf                     |    8 ++++++++
+ test/conf/default_psad.conf                      |    8 ++++++++
+ test/conf/disable_ipv6_detection.conf            |    8 ++++++++
+ test/conf/enable_ack_detection.conf              |    8 ++++++++
+ test/conf/ignore_tcp.conf                        |    8 ++++++++
+ test/conf/ignore_udp.conf                        |    8 ++++++++
+ test/conf/require_DROP_syslog_prefix_str.conf    |    8 ++++++++
+ test/conf/require_missing_syslog_prefix_str.conf |    8 ++++++++
+ 12 files changed, 94 insertions(+), 2 deletions(-)
+
+commit b39dc01133d7b0e981c58622b5f0a9c48c979b81
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Tue Jan 1 20:56:00 2013 -0500
+
+    Configurable auto-blocking timeout values.
+    
+    Oscar Marley suggested configurable auto-blocking timeout values depending on
+    the danger level that a scan or attack achieves.  This resulted in the
+    implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.
+
+ CREDITS                                          |    5 ++
+ psad                                             |   73 +++++++++++++++-------
+ psad.conf                                        |    9 +++
+ test/conf/auto_blocking.conf                     |   11 +++-
+ test/conf/default_psad.conf                      |    9 +++
+ test/conf/disable_ipv6_detection.conf            |    9 +++
+ test/conf/enable_ack_detection.conf              |    9 +++
+ test/conf/ignore_tcp.conf                        |    9 +++
+ test/conf/ignore_udp.conf                        |    9 +++
+ test/conf/require_DROP_syslog_prefix_str.conf    |    9 +++
+ test/conf/require_missing_syslog_prefix_str.conf |    9 +++
+ test/test-psad.pl                                |   26 +++++++-
+ 12 files changed, 162 insertions(+), 25 deletions(-)
+
+commit d78f288f0577e59e1b36447604ea040dc302caea
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 22 22:19:19 2012 -0500
+
+    added --analysis-auto-block mode to allow auto-responses to be testing in -A mode
+
+ psad   |   36 +++++++++++++++++++++++-------------
+ psad.8 |    8 +++++++-
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+commit 1d2602e6ba83f27042c6e59fa39d2320e0477ef3
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 22 22:15:14 2012 -0500
+
+    Added --enable-auto-block-tests for testing the auto-blocking functionality in psad
+
+ test/conf/auto_blocking.conf |  579 ++++++++++++++++++++++++++++++++++++++++++
+ test/test-psad.pl            |   72 ++++--
+ 2 files changed, 633 insertions(+), 18 deletions(-)
+
+commit 574d31aff2702412d78016d509beedf8e866b7db (refs/remotes/web/master, refs/remotes/origin/master)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Thu Dec 20 21:06:46 2012 -0500
+
+    Detect Topera IPv6 scans when IP options are logged
+    
+    Added detection for Topera IPv6 scans when --log-ip-options is used in
+    the ip6tables logging rule.  When this option is not used, the previous                                                                                                                        psad-2.2 release detected Topera scans.  An example TCP SYN packet
+    generated by Topera when --log-ip-options is used looks like this (note                                                                                                                        the series of empty IP options strings "OPT ( )":
+    
+        Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=                                                                                                                                 MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
+        SRC=2012:1234:1234:0000:0000:0000:0000:0001                                                                                                                                                    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
+        FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )                                                                                                                              OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN
+        URGP=0
+
+ ChangeLog                                          |   14 +
+ psad                                               |   62 +-
+ .../scans/iptables/topera_ipv6_syn_scan_no_ip_opts | 1058 ++++++++++++++++++++
+ .../iptables/topera_ipv6_syn_scan_with_ip_opts     | 1046 +++++++++++++++++++
+ test/test-psad.pl                                  |   36 +
+ 5 files changed, 2200 insertions(+), 16 deletions(-)
+
+commit bd89cfbad0cdc4540f1b983811e40803b8fa29b9
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Mon Dec 17 23:05:56 2012 -0500
+
+    Parse fwsnort rules for 'msg' fields
+    
+    Added the ability to acquire Snort rule 'msg' fields from fwsnort if
+    it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
+    to look for the fwsnort rule set.  This fixes a problem reported by Pui
+    Edylie to the psad mailing list where fwsnort logged an attack that psad
+    could not map back to a descriptive 'msg' field.
+
+ CREDITS                                          |    6 ++
+ ChangeLog                                        |    6 ++
+ psad                                             |  106 ++++++++++++----------
+ psad.conf                                        |    1 +
+ test/conf/default_psad.conf                      |    1 +
+ test/conf/disable_ipv6_detection.conf            |    1 +
+ test/conf/enable_ack_detection.conf              |    1 +
+ test/conf/ignore_tcp.conf                        |    1 +
+ test/conf/ignore_udp.conf                        |    1 +
+ test/conf/require_DROP_syslog_prefix_str.conf    |    1 +
+ test/conf/require_missing_syslog_prefix_str.conf |    1 +
+ 11 files changed, 77 insertions(+), 49 deletions(-)
+
+commit 361281e7d38c68b8e8c201ca31ea9be0bc7ec858
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 15 22:12:22 2012 -0500
+
+    added nmap scan style details to syslog output
+
+ psad |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+commit 9659621061cd1a8032e736294cedcb3d79b7ae72
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 15 22:06:31 2012 -0500
+
+    completed IP protocol scan detection task
+
+ todo.org |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+commit 19bee218741a725a8085a937046164fea47ec310
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 15 22:03:26 2012 -0500
+
+    added IP protocol scan output to psad emails
+
+ psad |   69 +++++++++++++++++++++++++++++++++---------------------------------
+ 1 file changed, 35 insertions(+), 34 deletions(-)
+
+commit 6383941e87c5cadbc6f34eed99adcf26e2264818
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 15 22:02:42 2012 -0500
+
+    additional regex's to look for perl warnings
+
+ test/test-psad.pl |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+commit 8018338cd7668da7447fc5e106f4ae2285a972bf
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Dec 14 21:04:31 2012 -0500
+
+    [test suite] added --analysis-write-data to psad test command line
+
+ test/test-psad.pl |   34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+commit 668453375e2256c6a7e182b211ac2acce0cb4764
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Dec 9 21:31:22 2012 -0500
+
+    added 'Other' protocols to per-IP 'Global stats' output for protocol scans
+
+ psad |   35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+commit 1e9afc6f82328f16ca415524484b0fc3b354fe9e
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Dec 9 21:22:50 2012 -0500
+
+    remove 'multiproto' hash key in favor of new 'tot_protocols' hash key (used in -sO protocol scan detection)
+
+ psad |    7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+commit 760e02b3c2c796e4856ec1338684c84679a15580
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sun Dec 9 21:14:46 2012 -0500
+
+    minor bug fix for uninitialized variable usage in ICMP6 invalid type/code detection
+
+ psad |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+commit 4e059858de6bf4d553591c83fe022c17b3904732
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Dec 7 22:34:08 2012 -0500
+
+    added IP protocol scan test
+
+ test/test-psad.pl |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+commit 9fd7ce6cdb2303b1d698decb9708980e4e1997ee
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Dec 7 22:32:46 2012 -0500
+
+    removed ununsed is_digit() function
+
+ psad |    6 ------
+ 1 file changed, 6 deletions(-)
+
+commit 91dfe52f4a340ba52d70e03b40fb43b71774b0d5
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Dec 7 21:23:22 2012 -0500
+
+    first cut at IP protocol scan detection (nmap -sO)
+
+ ChangeLog                                        |   11 +-
+ VERSION                                          |    2 +-
+ nf2csv                                           |    2 +-
+ psad                                             |  213 +++++++--
+ psad.conf                                        |    6 +
+ test/conf/default_psad.conf                      |    6 +
+ test/conf/disable_ipv6_detection.conf            |    6 +
+ test/conf/enable_ack_detection.conf              |    6 +
+ test/conf/ignore_tcp.conf                        |    6 +
+ test/conf/ignore_udp.conf                        |    6 +
+ test/conf/require_DROP_syslog_prefix_str.conf    |    6 +
+ test/conf/require_missing_syslog_prefix_str.conf |    6 +
+ test/scans/iptables/proto_scan                   |  510 ++++++++++++++++++++++
+ 13 files changed, 745 insertions(+), 41 deletions(-)
+
+commit 518880f270688cd903112395db97db85a89212ed
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Fri Dec 7 21:18:58 2012 -0500
+
+    added 'protocols' file in support of IP protocol scan detection (nmap -sO)
+
+ install.pl |    6 +++---
+ protocols  |   64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+), 3 deletions(-)
+
+commit f20a57a6a37963ea1b27931d297f0791fbca544f
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat Dec 1 14:36:08 2012 -0500
+
+    replaced TODO with todo.org org mode file
+
+ TODO     |   91 --------------------------------------------------------------
+ todo.org |   85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 91 deletions(-)
+
+commit eab733f4f51270116daba9eae8d221e236af9c26
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Thu Nov 22 22:17:00 2012 -0500
+
+    another hyphen fix
+
+ psad.8 |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit f2c44bbd02f8db51758a3160c527245ba8879599
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Thu Nov 22 22:16:00 2012 -0500
+
+    applied hyphen fix from Franck Joncourt
+
+ psad.8 |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit a3d8daabbc60da23116141fd5d899573c3bda199
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Tue Nov 20 21:00:00 2012 -0500
+
+    added Gregorio Narvaez
+
+ CREDITS |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+commit ff46fe12b238b7f7b63b2f31345bb6a8f99f7efe
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Tue Nov 20 20:58:00 2012 -0500
+
+    Bug fix for NetAddr::IP usage in --analysis-fields IP search mode
+    
+    Bug fix in --Analyze mode when IP fields are to be searched with the
+    --analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
+    The bug was reported by Gregorio Narvaez, and looked like this:
+    
+      Use of uninitialized value $_[0] in length at
+      ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+      ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
+      Use of uninitialized value $_[0] in length at
+      ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+      ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
+      Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
+      128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
+      ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.
+    
+    Added --stdin argument to allow psad to collect iptables log data from
+    STDIN in --Analyze mode.
+
+ ChangeLog            |   18 +++++
+ psad                 |   59 +++++++++++----
+ psad.8               |    6 ++
+ test/install.answers |   24 ++++++
+ test/test-psad.pl    |  197 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 5 files changed, 289 insertions(+), 15 deletions(-)
+
+commit 30120fbc5d44519aa378333c494e456e6aded331 (tag: refs/tags/psad-2.3-pre1)
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Mon Jun 11 20:58:36 2012 -0400
+
+    bumped version to psad-2.3-pre1
+
+ VERSION |    2 +-
+ nf2csv  |    2 +-
+ psad    |    4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 99ac4ab1eed310adbe4d24bdee9b67ee6dfb7905
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Mon Jun 11 20:56:19 2012 -0400
+
+    minor comment wording update w.r.t. SYSLOG_DAEMON usage
+
+ psad.conf |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+commit e5ada77ddf8dbec564fee5e50734460e28b5a185
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Mon Jun 11 20:55:50 2012 -0400
+
+    INSTALL_ROOT resolution bug fix (found by Kat)
+
+ CREDITS  |    4 ++++
+ kmsgsd.c |   20 ++++++++++++++++++++
+ 2 files changed, 24 insertions(+)
+
+commit 8dedbcad794e3b539f2df202feb8a15b50e6e75a
+Author: Michael Rash <mbr@cipherdyne.org>
+Date:   Sat May 26 21:30:50 2012 -0400
+
+    removed legacy psadwatchd.conf file references
+
+ packaging/psad-nodeps.spec            |    4 +---
+ packaging/psad-require-makemaker.spec |    4 +---
+ packaging/psad.spec                   |    4 +---
+ 3 files changed, 3 insertions(+), 9 deletions(-)