16 months agoAdded changelog data since psad-2.2.1 2.2.2
Michael Rash [Fri, 17 Jan 2014 03:12:46 +0000]
Added changelog data since psad-2.2.1

16 months agocopyright date update
Michael Rash [Mon, 13 Jan 2014 23:38:31 +0000]
copyright date update

16 months agobumped version to 2.2.2
Michael Rash [Mon, 13 Jan 2014 23:37:24 +0000]
bumped version to 2.2.2

16 months agominor bug fix to auto-generate iptables logs in benchmark mode
Michael Rash [Mon, 13 Jan 2014 23:27:53 +0000]
minor bug fix to auto-generate iptables logs in benchmark mode

16 months ago[test suite] added EXPECT_TCP_OPTIONS to config files
Michael Rash [Mon, 13 Jan 2014 23:11:14 +0000]
[test suite] added EXPECT_TCP_OPTIONS to config files

16 months ago[test suite] removed comments and blank lines for config files
Michael Rash [Mon, 13 Jan 2014 23:07:36 +0000]
[test suite] removed comments and blank lines for config files

19 months agoAdded detection for Errata Security's "Masscan" port scanner
Michael Rash [Mon, 30 Sep 2013 02:01:53 +0000]
Added detection for Errata Security's "Masscan" port scanner

Added detection for Errata Security's "Masscan" port scanner that was
used in an Internet-wide scan for port 22 on Sept. 12, 2013 (see:
The detection strategy used by psad relies on the fact that masscan does
not appear to set the options portion of the TCP header, and if the
iptables LOG rules that generate log data for psad are built with the
--log-tcp-options switch, then no options in a SYN scan can be seen.
This is not to say that other scanning software always sets TCP options -
Scapy seems to not set options by default when issuing a SYN scan like
this either:
There is a new psad.conf variable "EXPECT_TCP_OPTIONS" to assist with
Masscan detection as well.  When looking for Masscan SYN scans, psad
requires at least one TCP options field to be populated within a LOG
message (so that it knows --log-tcp-options has been set for at least
some logged traffic), and after seeing this then SYN packets with no
options are attributed to Masscan traffic.  All usual psad threshold
variables continue to apply however, so (by default) a single Masscan
SYN packet will not trigger a psad alert.  Masscan detection can be
disabled altogether by setting EXPECT_TCP_OPTIONS to "N", and this will
not affect any other psad detection techniques such as passive OS
fingerprinting, etc.

19 months agominor auto_dl spacing update
Michael Rash [Mon, 30 Sep 2013 00:54:32 +0000]
minor auto_dl spacing update

21 months agofix uninitilized scan danger level for IP block renewals when FLUSH_IPT_AT_INIT=N...
Michael Rash [Mon, 29 Jul 2013 03:52:41 +0000]
fix uninitilized scan danger level for IP block renewals when FLUSH_IPT_AT_INIT=N, closes #6

22 months ago[test suite] added --test-limit command line arg
Michael Rash [Sat, 27 Jul 2013 19:41:17 +0000]
[test suite] added --test-limit command line arg

22 months agominor --stdin usage text addition
Michael Rash [Sat, 27 Jul 2013 01:25:52 +0000]
minor --stdin usage text addition

2 years agopsad RPM bug fix to include the protocols file
Michael Rash [Fri, 25 Jan 2013 02:13:55 +0000]
psad RPM bug fix to include the protocols file

Nicholas-Ritter reported a bug in psad-2.2.1 where the protocols file is not
bundled with the psad RPM's or included in the psad RPM .spec files.

2 years agochanges since psad-2.2 psad-2.2.1
Michael Rash [Thu, 3 Jan 2013 04:24:15 +0000]
changes since psad-2.2

2 years agoadded auto_min_dl5_blocking.conf file
Michael Rash [Thu, 3 Jan 2013 04:23:17 +0000]
added auto_min_dl5_blocking.conf file

2 years agochanges since psad-2.2
Michael Rash [Thu, 3 Jan 2013 04:16:50 +0000]
changes since psad-2.2

2 years agominor date update for psad-2.2.1 release
Michael Rash [Thu, 3 Jan 2013 04:12:43 +0000]
minor date update for psad-2.2.1 release

2 years agobumped version to 2.2.1
Michael Rash [Wed, 2 Jan 2013 03:23:18 +0000]
bumped version to 2.2.1

2 years agoAdded EMAIL_THROTTLE for email throttling
Michael Rash [Wed, 2 Jan 2013 03:20:00 +0000]
Added EMAIL_THROTTLE for email throttling

Added the ability to throttle emails generated by psad via a new
EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
many emails for each scanning IP as it would have normally.  This feature
was suggested by Naji Mouawad.

2 years agoConfigurable auto-blocking timeout values.
Michael Rash [Wed, 2 Jan 2013 01:56:00 +0000]
Configurable auto-blocking timeout values.

Oscar Marley suggested configurable auto-blocking timeout values depending on
the danger level that a scan or attack achieves.  This resulted in the
implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.

2 years agoadded --analysis-auto-block mode to allow auto-responses to be testing in -A mode
Michael Rash [Sun, 23 Dec 2012 03:19:19 +0000]
added --analysis-auto-block mode to allow auto-responses to be testing in -A mode

2 years agoAdded --enable-auto-block-tests for testing the auto-blocking functionality in psad
Michael Rash [Sun, 23 Dec 2012 03:15:14 +0000]
Added --enable-auto-block-tests for testing the auto-blocking functionality in psad

2 years agoDetect Topera IPv6 scans when IP options are logged
Michael Rash [Fri, 21 Dec 2012 02:06:46 +0000]
Detect Topera IPv6 scans when IP options are logged

Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule.  When this option is not used, the previous                                                                                                                        psad-2.2 release detected Topera scans.  An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note                                                                                                                        the series of empty IP options strings "OPT ( )":

    Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=                                                                                                                                 MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
    SRC=2012:1234:1234:0000:0000:0000:0000:0001                                                                                                                                                    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
    FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )                                                                                                                              OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN

2 years agoParse fwsnort rules for 'msg' fields
Michael Rash [Tue, 18 Dec 2012 04:05:56 +0000]
Parse fwsnort rules for 'msg' fields

Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set.  This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.

2 years agoadded nmap scan style details to syslog output
Michael Rash [Sun, 16 Dec 2012 03:12:22 +0000]
added nmap scan style details to syslog output

2 years agocompleted IP protocol scan detection task
Michael Rash [Sun, 16 Dec 2012 03:06:31 +0000]
completed IP protocol scan detection task

2 years agoadded IP protocol scan output to psad emails
Michael Rash [Sun, 16 Dec 2012 03:03:26 +0000]
added IP protocol scan output to psad emails

2 years agoadditional regex's to look for perl warnings
Michael Rash [Sun, 16 Dec 2012 03:02:42 +0000]
additional regex's to look for perl warnings

2 years ago[test suite] added --analysis-write-data to psad test command line
Michael Rash [Sat, 15 Dec 2012 02:04:31 +0000]
[test suite] added --analysis-write-data to psad test command line

2 years agoadded 'Other' protocols to per-IP 'Global stats' output for protocol scans
Michael Rash [Mon, 10 Dec 2012 02:31:22 +0000]
added 'Other' protocols to per-IP 'Global stats' output for protocol scans

2 years agoremove 'multiproto' hash key in favor of new 'tot_protocols' hash key (used in -sO...
Michael Rash [Mon, 10 Dec 2012 02:22:50 +0000]
remove 'multiproto' hash key in favor of new 'tot_protocols' hash key (used in -sO protocol scan detection)

2 years agominor bug fix for uninitialized variable usage in ICMP6 invalid type/code detection
Michael Rash [Mon, 10 Dec 2012 02:14:46 +0000]
minor bug fix for uninitialized variable usage in ICMP6 invalid type/code detection

2 years agoadded IP protocol scan test
Michael Rash [Sat, 8 Dec 2012 03:34:08 +0000]
added IP protocol scan test

2 years agoremoved ununsed is_digit() function
Michael Rash [Sat, 8 Dec 2012 03:32:46 +0000]
removed ununsed is_digit() function

2 years agofirst cut at IP protocol scan detection (nmap -sO)
Michael Rash [Sat, 8 Dec 2012 02:23:22 +0000]
first cut at IP protocol scan detection (nmap -sO)

2 years agoadded 'protocols' file in support of IP protocol scan detection (nmap -sO)
Michael Rash [Sat, 8 Dec 2012 02:18:58 +0000]
added 'protocols' file in support of IP protocol scan detection (nmap -sO)

2 years agoreplaced TODO with org mode file
Michael Rash [Sat, 1 Dec 2012 19:36:08 +0000]
replaced TODO with org mode file

2 years agoanother hyphen fix
Michael Rash [Fri, 23 Nov 2012 03:17:00 +0000]
another hyphen fix

2 years agoapplied hyphen fix from Franck Joncourt
Michael Rash [Fri, 23 Nov 2012 03:16:00 +0000]
applied hyphen fix from Franck Joncourt

2 years agoadded Gregorio Narvaez
Michael Rash [Wed, 21 Nov 2012 02:00:00 +0000]
added Gregorio Narvaez

2 years agoBug fix for NetAddr::IP usage in --analysis-fields IP search mode
Michael Rash [Wed, 21 Nov 2012 01:58:00 +0000]
Bug fix for NetAddr::IP usage in --analysis-fields IP search mode

Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:").
The bug was reported by Gregorio Narvaez, and looked like this:

  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 126.
  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 126.
  Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
  128 at ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 122.

Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode.

2 years agobumped version to psad-2.3-pre1 psad-2.3-pre1
Michael Rash [Tue, 12 Jun 2012 00:58:36 +0000]
bumped version to psad-2.3-pre1

2 years agominor comment wording update w.r.t. SYSLOG_DAEMON usage
Michael Rash [Tue, 12 Jun 2012 00:56:19 +0000]
minor comment wording update w.r.t. SYSLOG_DAEMON usage

2 years agoINSTALL_ROOT resolution bug fix (found by Kat)
Michael Rash [Tue, 12 Jun 2012 00:55:50 +0000]
INSTALL_ROOT resolution bug fix (found by Kat)

3 years agoremoved legacy psadwatchd.conf file references
Michael Rash [Sun, 27 May 2012 01:30:50 +0000]
removed legacy psadwatchd.conf file references

3 years agobumped version to 2.2
Michael Rash [Sat, 21 Apr 2012 02:18:58 +0000]
bumped version to 2.2

3 years agoAdded install.answers.example file to illustrate answers to be consumed...
Michael Rash [Sat, 21 Apr 2012 02:17:03 +0000]
Added install.answers.example file to illustrate answers to be consumed by --Use-answers

3 years agochangelog and credits update
Michael Rash [Sat, 21 Apr 2012 02:06:29 +0000]
changelog and credits update

3 years agoAdded the ability to automatically get query answers from --answers-file
Michael Rash [Sat, 21 Apr 2012 01:58:38 +0000]
Added the ability to automatically get query answers from --answers-file

By default the script records user answers to installation queries
so they can be used to install psad in an automated fashion later.  A new
option --Use-answers makes this possible.  This feature was requests by

3 years agobumped version to psad-2.2-pre2 psad-2.2-pre2
Michael Rash [Fri, 20 Apr 2012 01:59:43 +0000]
bumped version to psad-2.2-pre2

3 years agoremoved psad-nobuildreqs.spec
Michael Rash [Fri, 20 Apr 2012 01:25:52 +0000]
removed psad-nobuildreqs.spec

3 years agomoved ChangeLog.old -> ChangeLog (the old style is much more readable)
Michael Rash [Fri, 20 Apr 2012 01:25:07 +0000]
moved ChangeLog.old -> ChangeLog (the old style is much more readable)

3 years agomatched all chdir() calls with getcwd() for easier test suite support
Michael Rash [Fri, 20 Apr 2012 01:21:52 +0000]
matched all chdir() calls with getcwd() for easier test suite support

3 years agoadded the psad-require-makemaker.spec file
Michael Rash [Fri, 20 Apr 2012 01:20:52 +0000]
added the psad-require-makemaker.spec file

3 years agoRemoved the ExtUtils::MakeMaker build requirement
Michael Rash [Fri, 20 Apr 2012 01:13:58 +0000]
Removed the ExtUtils::MakeMaker build requirement

Although building the psad RPM builds a set of perl modules which themselves
have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL
scripts, some Linux distributions don't seem to make it easy to install
ExtUtils::MakeMaker in a manner in which the local RPM install can see it.
And, at the same time, it usually is there since installing perl modules is
such a common operation.  The compromise is this solution, which will allow the
psad RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker
is installed - most likely it will build anyway.  If it doesn't, there are
bigger problems since psad is written in perl.  If you want to build the psad
RPM with a .spec file that requires ExtUtils::MakeMaker, then use the
"psad-require-makemaker.spec" file that is bundled in the psad sources.

3 years agoupdate to install the init script in the test dir in --install-test-dir mode
Michael Rash [Fri, 20 Apr 2012 01:13:15 +0000]
update to install the init script in the test dir in --install-test-dir mode

3 years agoadded guard variable around syslog() calls
Michael Rash [Thu, 19 Apr 2012 03:19:17 +0000]
added guard variable around syslog() calls

3 years agobug fix to expand INSTALL_ROOT variable from psad.conf
Michael Rash [Thu, 19 Apr 2012 03:18:56 +0000]
bug fix to expand INSTALL_ROOT variable from psad.conf

3 years agobug fix to ensure that a pristine psad.conf file is preserved across --install-test... psad-2.2-pre1
Michael Rash [Wed, 18 Apr 2012 02:57:07 +0000]
bug fix to ensure that a pristine psad.conf file is preserved across --install-test-dir mode

3 years agoBug fix for undefined syslog routine
Michael Rash [Wed, 18 Apr 2012 02:23:31 +0000]
Bug fix for undefined syslog routine

Fixed a bug that caused psad to emit the following:

Undefined subroutine &main::LOG_DAEMON called at ./psad line 10071.

This problem was noticed by Robert and reported on the psad mailing list.

3 years agoRPM spec files switched to NetAddr::IP installation
Michael Rash [Wed, 18 Apr 2012 00:44:16 +0000]
RPM spec files switched to NetAddr::IP installation

3 years ago--test-system-install to allow current system installation of psad to be tested throu...
Michael Rash [Wed, 18 Apr 2012 00:42:42 +0000]
--test-system-install to allow current system installation of psad to be tested through the test suite

3 years agooverride -O option for
Michael Rash [Wed, 18 Apr 2012 00:40:52 +0000]
override -O option for

3 years agoupdate psad RPM spec files for the 2.2 release - more updates coming to properly...
Michael Rash [Tue, 17 Apr 2012 01:34:04 +0000]
update psad RPM spec files for the 2.2 release - more updates coming to properly handle the NetAddr::IP modules

3 years agoversion 2.2 nearly ready - bumped version numbers
Michael Rash [Tue, 17 Apr 2012 01:27:08 +0000]
version 2.2 nearly ready - bumped version numbers

3 years agoadded signatures file that excludes the MS SQL connect signature
Michael Rash [Tue, 17 Apr 2012 01:17:50 +0000]
added signatures file that excludes the MS SQL connect signature

3 years agoupdated test config files to not require the 'mail' binary
Michael Rash [Tue, 10 Apr 2012 12:40:41 +0000]
updated test config files to not require the 'mail' binary

3 years agoMinor compiler warning bug fix for OpenBSD systems.
Michael Rash [Sun, 25 Mar 2012 00:34:56 +0000]
Minor compiler warning bug fix for OpenBSD systems.

Compiling psad *.c files on OpenBSD issued the following warning before this fix:

/usr/bin/gcc -Wall -O psadwatchd.c psad_funcs.c strlcpy.c strlcat.c -o psadwatchd
psad_funcs.c: In function 'send_alert_email':
psad_funcs.c:325: warning: missing sentinel in function call

3 years agoadded IPv6 exclusion test for Snort MS SQl Server communication attempt signature
Michael Rash [Sat, 24 Mar 2012 14:08:48 +0000]
added IPv6 exclusion test for Snort MS SQl Server communication attempt signature

3 years agoadded Snort sig tests for MS SQL Server communication attempt
Michael Rash [Sat, 24 Mar 2012 13:25:00 +0000]
added Snort sig tests for MS SQL Server communication attempt

3 years agoIPv4 allow valid echo request
Michael Rash [Sat, 24 Mar 2012 02:06:44 +0000]
IPv4 allow valid echo request

3 years agominor hostname update minastirith -> linux
Michael Rash [Sat, 24 Mar 2012 02:00:23 +0000]
minor hostname update minastirith -> linux

3 years agoadded IPv4 ICMP type/code validation test
Michael Rash [Sat, 24 Mar 2012 01:58:19 +0000]
added IPv4 ICMP type/code validation test

3 years agoICMP6 type/code validation test, perl warnings test
Michael Rash [Sat, 24 Mar 2012 01:09:38 +0000]
ICMP6 type/code validation test, perl warnings test

3 years agoadded ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code...
Michael Rash [Sat, 24 Mar 2012 01:08:59 +0000]
added ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code validation

3 years agobugfix for uninitialized variable in ICMP6 validation reporting
Michael Rash [Sat, 24 Mar 2012 01:07:41 +0000]
bugfix for uninitialized variable in ICMP6 validation reporting

3 years agovalidate ICMP6 type+code fields
Michael Rash [Fri, 23 Mar 2012 03:00:00 +0000]
validate ICMP6 type+code fields

3 years agocopy original psad.conf before install and restore at conclusion
Michael Rash [Fri, 23 Mar 2012 00:41:08 +0000]
copy original psad.conf before install and restore at conclusion

3 years agomove icmp validation code out of Snort rules comparision
Michael Rash [Fri, 23 Mar 2012 00:27:37 +0000]
move icmp validation code out of Snort rules comparision

For better performance and correctness, moved icmp type/code validation code out
of Snort rule comparision routine.  Added icmp validation output to --Analyze
mode output.  Disabled DNS lookups in -A mode by default, but added --dns-analysis
command line arg to provide an override.

3 years agoadded --install-root and --install-test-dir options to --help output
Michael Rash [Fri, 23 Mar 2012 00:26:53 +0000]
added --install-root and --install-test-dir options to --help output

3 years agoadded the ability to read iptables packet data from a file with -m in --Benchmark...
Michael Rash [Wed, 21 Mar 2012 01:15:38 +0000]
added the ability to read iptables packet data from a file with -m in --Benchmark mode

3 years agoadded IPv6 abbreviated format test
Michael Rash [Sun, 18 Mar 2012 17:43:48 +0000]
added IPv6 abbreviated format test

3 years agobugfix to honor audo_dl lines with IPv6 addresses
Michael Rash [Sun, 18 Mar 2012 17:32:13 +0000]
bugfix to honor audo_dl lines with IPv6 addresses

3 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sun, 18 Mar 2012 02:00:09 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

3 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sat, 17 Mar 2012 19:50:00 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

3 years agoadded enable_ack_detection.conf file
Michael Rash [Sat, 17 Mar 2012 19:48:55 +0000]
added enable_ack_detection.conf file

3 years agoadded IPv6 TCP connect() test
Michael Rash [Sat, 17 Mar 2012 18:11:30 +0000]
added IPv6 TCP connect() test

3 years agoadded TCP NULL scan test
Michael Rash [Sat, 17 Mar 2012 18:00:07 +0000]
added TCP NULL scan test

3 years agoadded NULL scan test
Michael Rash [Sat, 17 Mar 2012 01:31:01 +0000]
added NULL scan test

3 years agoadded FIN, XMAS, and ACK scan tests
Michael Rash [Sat, 17 Mar 2012 01:12:01 +0000]
added FIN, XMAS, and ACK scan tests

3 years agobugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)
Michael Rash [Fri, 16 Mar 2012 00:44:20 +0000]
bugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)

3 years agoupdated to remove kmsgsd discussion since kmsgsd is basically deprecated at this...
Michael Rash [Fri, 16 Mar 2012 00:41:40 +0000]
updated to remove kmsgsd discussion since kmsgsd is basically deprecated at this point

3 years agominor config file comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:43:37 +0000]
minor config file comment typo fixes

3 years agominor comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:23:44 +0000]
minor comment typo fixes

3 years agoadded auto_dl 5 tests
Michael Rash [Wed, 14 Mar 2012 01:17:02 +0000]
added auto_dl 5 tests

3 years agoadded SYN scan and UDP scan tests
Michael Rash [Wed, 14 Mar 2012 00:43:12 +0000]
added SYN scan and UDP scan tests

3 years agoupdated default INSTALL_ROOT path to the test/ directory install path test/psad-install
Michael Rash [Wed, 14 Mar 2012 00:38:41 +0000]
updated default INSTALL_ROOT path to the test/ directory install path test/psad-install

3 years agobugfix in variable expansion routine to ensure expansion of multiple sub-vars
Michael Rash [Wed, 14 Mar 2012 00:37:44 +0000]
bugfix in variable expansion routine to ensure expansion of multiple sub-vars

3 years agoAdded the ability to install at custom location
Michael Rash [Tue, 13 Mar 2012 01:34:03 +0000]
Added the ability to install at custom location

This commit adds the ability to install psad at a custom location via the
--install-root <root> command line argument to  This feature
was suggested by @pyllyukko.  In addition, psad can be installed by a
normal user instead requiring root.

3 years agoadditional basic operations tests, next up: scan tests
Michael Rash [Mon, 12 Mar 2012 02:41:17 +0000]
additional basic operations tests, next up: scan tests

3 years agoadded test suite scans/ directory
Michael Rash [Mon, 12 Mar 2012 02:38:55 +0000]
added test suite scans/ directory