psad.git
21 months agochanges since psad-2.2 psad-2.2.1
Michael Rash [Thu, 3 Jan 2013 04:24:15 +0000]
changes since psad-2.2

21 months agoadded auto_min_dl5_blocking.conf file
Michael Rash [Thu, 3 Jan 2013 04:23:17 +0000]
added auto_min_dl5_blocking.conf file

21 months agochanges since psad-2.2
Michael Rash [Thu, 3 Jan 2013 04:16:50 +0000]
changes since psad-2.2

21 months agominor date update for psad-2.2.1 release
Michael Rash [Thu, 3 Jan 2013 04:12:43 +0000]
minor date update for psad-2.2.1 release

21 months agobumped version to 2.2.1
Michael Rash [Wed, 2 Jan 2013 03:23:18 +0000]
bumped version to 2.2.1

21 months agoAdded EMAIL_THROTTLE for email throttling
Michael Rash [Wed, 2 Jan 2013 03:20:00 +0000]
Added EMAIL_THROTTLE for email throttling

Added the ability to throttle emails generated by psad via a new
EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
many emails for each scanning IP as it would have normally.  This feature
was suggested by Naji Mouawad.

21 months agoConfigurable auto-blocking timeout values.
Michael Rash [Wed, 2 Jan 2013 01:56:00 +0000]
Configurable auto-blocking timeout values.

Oscar Marley suggested configurable auto-blocking timeout values depending on
the danger level that a scan or attack achieves.  This resulted in the
implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.

21 months agoadded --analysis-auto-block mode to allow auto-responses to be testing in -A mode
Michael Rash [Sun, 23 Dec 2012 03:19:19 +0000]
added --analysis-auto-block mode to allow auto-responses to be testing in -A mode

21 months agoAdded --enable-auto-block-tests for testing the auto-blocking functionality in psad
Michael Rash [Sun, 23 Dec 2012 03:15:14 +0000]
Added --enable-auto-block-tests for testing the auto-blocking functionality in psad

22 months agoDetect Topera IPv6 scans when IP options are logged
Michael Rash [Fri, 21 Dec 2012 02:06:46 +0000]
Detect Topera IPv6 scans when IP options are logged

Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule.  When this option is not used, the previous                                                                                                                        psad-2.2 release detected Topera scans.  An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note                                                                                                                        the series of empty IP options strings "OPT ( )":

    Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=                                                                                                                                 MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
    SRC=2012:1234:1234:0000:0000:0000:0000:0001                                                                                                                                                    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
    FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )                                                                                                                              OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN
    URGP=0

22 months agoParse fwsnort rules for 'msg' fields
Michael Rash [Tue, 18 Dec 2012 04:05:56 +0000]
Parse fwsnort rules for 'msg' fields

Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set.  This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.

22 months agoadded nmap scan style details to syslog output
Michael Rash [Sun, 16 Dec 2012 03:12:22 +0000]
added nmap scan style details to syslog output

22 months agocompleted IP protocol scan detection task
Michael Rash [Sun, 16 Dec 2012 03:06:31 +0000]
completed IP protocol scan detection task

22 months agoadded IP protocol scan output to psad emails
Michael Rash [Sun, 16 Dec 2012 03:03:26 +0000]
added IP protocol scan output to psad emails

22 months agoadditional regex's to look for perl warnings
Michael Rash [Sun, 16 Dec 2012 03:02:42 +0000]
additional regex's to look for perl warnings

22 months ago[test suite] added --analysis-write-data to psad test command line
Michael Rash [Sat, 15 Dec 2012 02:04:31 +0000]
[test suite] added --analysis-write-data to psad test command line

22 months agoadded 'Other' protocols to per-IP 'Global stats' output for protocol scans
Michael Rash [Mon, 10 Dec 2012 02:31:22 +0000]
added 'Other' protocols to per-IP 'Global stats' output for protocol scans

22 months agoremove 'multiproto' hash key in favor of new 'tot_protocols' hash key (used in -sO...
Michael Rash [Mon, 10 Dec 2012 02:22:50 +0000]
remove 'multiproto' hash key in favor of new 'tot_protocols' hash key (used in -sO protocol scan detection)

22 months agominor bug fix for uninitialized variable usage in ICMP6 invalid type/code detection
Michael Rash [Mon, 10 Dec 2012 02:14:46 +0000]
minor bug fix for uninitialized variable usage in ICMP6 invalid type/code detection

22 months agoadded IP protocol scan test
Michael Rash [Sat, 8 Dec 2012 03:34:08 +0000]
added IP protocol scan test

22 months agoremoved ununsed is_digit() function
Michael Rash [Sat, 8 Dec 2012 03:32:46 +0000]
removed ununsed is_digit() function

22 months agofirst cut at IP protocol scan detection (nmap -sO)
Michael Rash [Sat, 8 Dec 2012 02:23:22 +0000]
first cut at IP protocol scan detection (nmap -sO)

22 months agoadded 'protocols' file in support of IP protocol scan detection (nmap -sO)
Michael Rash [Sat, 8 Dec 2012 02:18:58 +0000]
added 'protocols' file in support of IP protocol scan detection (nmap -sO)

22 months agoreplaced TODO with todo.org org mode file
Michael Rash [Sat, 1 Dec 2012 19:36:08 +0000]
replaced TODO with todo.org org mode file

22 months agoanother hyphen fix
Michael Rash [Fri, 23 Nov 2012 03:17:00 +0000]
another hyphen fix

22 months agoapplied hyphen fix from Franck Joncourt
Michael Rash [Fri, 23 Nov 2012 03:16:00 +0000]
applied hyphen fix from Franck Joncourt

22 months agoadded Gregorio Narvaez
Michael Rash [Wed, 21 Nov 2012 02:00:00 +0000]
added Gregorio Narvaez

22 months agoBug fix for NetAddr::IP usage in --analysis-fields IP search mode
Michael Rash [Wed, 21 Nov 2012 01:58:00 +0000]
Bug fix for NetAddr::IP usage in --analysis-fields IP search mode

Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
The bug was reported by Gregorio Narvaez, and looked like this:

  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
  128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.

Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode.

2 years agobumped version to psad-2.3-pre1 psad-2.3-pre1
Michael Rash [Tue, 12 Jun 2012 00:58:36 +0000]
bumped version to psad-2.3-pre1

2 years agominor comment wording update w.r.t. SYSLOG_DAEMON usage
Michael Rash [Tue, 12 Jun 2012 00:56:19 +0000]
minor comment wording update w.r.t. SYSLOG_DAEMON usage

2 years agoINSTALL_ROOT resolution bug fix (found by Kat)
Michael Rash [Tue, 12 Jun 2012 00:55:50 +0000]
INSTALL_ROOT resolution bug fix (found by Kat)

2 years agoremoved legacy psadwatchd.conf file references
Michael Rash [Sun, 27 May 2012 01:30:50 +0000]
removed legacy psadwatchd.conf file references

2 years agobumped version to 2.2
Michael Rash [Sat, 21 Apr 2012 02:18:58 +0000]
bumped version to 2.2

2 years agoAdded install.answers.example file to illustrate install.pl answers to be consumed...
Michael Rash [Sat, 21 Apr 2012 02:17:03 +0000]
Added install.answers.example file to illustrate install.pl answers to be consumed by --Use-answers

2 years agochangelog and credits update
Michael Rash [Sat, 21 Apr 2012 02:06:29 +0000]
changelog and credits update

2 years agoAdded the ability to automatically get query answers from --answers-file
Michael Rash [Sat, 21 Apr 2012 01:58:38 +0000]
Added the ability to automatically get query answers from --answers-file

By default the install.pl script records user answers to installation queries
so they can be used to install psad in an automated fashion later.  A new
option --Use-answers makes this possible.  This feature was requests by
@pyllyukko.

2 years agobumped version to psad-2.2-pre2 psad-2.2-pre2
Michael Rash [Fri, 20 Apr 2012 01:59:43 +0000]
bumped version to psad-2.2-pre2

2 years agoremoved psad-nobuildreqs.spec
Michael Rash [Fri, 20 Apr 2012 01:25:52 +0000]
removed psad-nobuildreqs.spec

2 years agomoved ChangeLog.old -> ChangeLog (the old style is much more readable)
Michael Rash [Fri, 20 Apr 2012 01:25:07 +0000]
moved ChangeLog.old -> ChangeLog (the old style is much more readable)

2 years agomatched all chdir() calls with getcwd() for easier test suite support
Michael Rash [Fri, 20 Apr 2012 01:21:52 +0000]
matched all chdir() calls with getcwd() for easier test suite support

2 years agoadded the psad-require-makemaker.spec file
Michael Rash [Fri, 20 Apr 2012 01:20:52 +0000]
added the psad-require-makemaker.spec file

2 years agoRemoved the ExtUtils::MakeMaker build requirement
Michael Rash [Fri, 20 Apr 2012 01:13:58 +0000]
Removed the ExtUtils::MakeMaker build requirement

Although building the psad RPM builds a set of perl modules which themselves
have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL
scripts, some Linux distributions don't seem to make it easy to install
ExtUtils::MakeMaker in a manner in which the local RPM install can see it.
And, at the same time, it usually is there since installing perl modules is
such a common operation.  The compromise is this solution, which will allow the
psad RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker
is installed - most likely it will build anyway.  If it doesn't, there are
bigger problems since psad is written in perl.  If you want to build the psad
RPM with a .spec file that requires ExtUtils::MakeMaker, then use the
"psad-require-makemaker.spec" file that is bundled in the psad sources.

2 years agoupdate to install the init script in the test dir in --install-test-dir mode
Michael Rash [Fri, 20 Apr 2012 01:13:15 +0000]
update to install the init script in the test dir in --install-test-dir mode

2 years agoadded guard variable around syslog() calls
Michael Rash [Thu, 19 Apr 2012 03:19:17 +0000]
added guard variable around syslog() calls

2 years agobug fix to expand INSTALL_ROOT variable from psad.conf
Michael Rash [Thu, 19 Apr 2012 03:18:56 +0000]
bug fix to expand INSTALL_ROOT variable from psad.conf

2 years agobug fix to ensure that a pristine psad.conf file is preserved across --install-test... psad-2.2-pre1
Michael Rash [Wed, 18 Apr 2012 02:57:07 +0000]
bug fix to ensure that a pristine psad.conf file is preserved across --install-test-dir mode

2 years agoBug fix for undefined syslog routine
Michael Rash [Wed, 18 Apr 2012 02:23:31 +0000]
Bug fix for undefined syslog routine

Fixed a bug that caused psad to emit the following:

Undefined subroutine &main::LOG_DAEMON called at ./psad line 10071.

This problem was noticed by Robert and reported on the psad mailing list.

2 years agoRPM spec files switched to NetAddr::IP installation
Michael Rash [Wed, 18 Apr 2012 00:44:16 +0000]
RPM spec files switched to NetAddr::IP installation

2 years ago--test-system-install to allow current system installation of psad to be tested throu...
Michael Rash [Wed, 18 Apr 2012 00:42:42 +0000]
--test-system-install to allow current system installation of psad to be tested through the test suite

2 years agooverride -O option for fwcheck_psad.pl
Michael Rash [Wed, 18 Apr 2012 00:40:52 +0000]
override -O option for fwcheck_psad.pl

2 years agoupdate psad RPM spec files for the 2.2 release - more updates coming to properly...
Michael Rash [Tue, 17 Apr 2012 01:34:04 +0000]
update psad RPM spec files for the 2.2 release - more updates coming to properly handle the NetAddr::IP modules

2 years agoversion 2.2 nearly ready - bumped version numbers
Michael Rash [Tue, 17 Apr 2012 01:27:08 +0000]
version 2.2 nearly ready - bumped version numbers

2 years agoadded signatures file that excludes the MS SQL connect signature
Michael Rash [Tue, 17 Apr 2012 01:17:50 +0000]
added signatures file that excludes the MS SQL connect signature

2 years agoupdated test config files to not require the 'mail' binary
Michael Rash [Tue, 10 Apr 2012 12:40:41 +0000]
updated test config files to not require the 'mail' binary

2 years agoMinor compiler warning bug fix for OpenBSD systems.
Michael Rash [Sun, 25 Mar 2012 00:34:56 +0000]
Minor compiler warning bug fix for OpenBSD systems.

Compiling psad *.c files on OpenBSD issued the following warning before this fix:

/usr/bin/gcc -Wall -O psadwatchd.c psad_funcs.c strlcpy.c strlcat.c -o psadwatchd
psad_funcs.c: In function 'send_alert_email':
psad_funcs.c:325: warning: missing sentinel in function call

2 years agoadded IPv6 exclusion test for Snort MS SQl Server communication attempt signature
Michael Rash [Sat, 24 Mar 2012 14:08:48 +0000]
added IPv6 exclusion test for Snort MS SQl Server communication attempt signature

2 years agoadded Snort sig tests for MS SQL Server communication attempt
Michael Rash [Sat, 24 Mar 2012 13:25:00 +0000]
added Snort sig tests for MS SQL Server communication attempt

2 years agoIPv4 allow valid echo request
Michael Rash [Sat, 24 Mar 2012 02:06:44 +0000]
IPv4 allow valid echo request

2 years agominor hostname update minastirith -> linux
Michael Rash [Sat, 24 Mar 2012 02:00:23 +0000]
minor hostname update minastirith -> linux

2 years agoadded IPv4 ICMP type/code validation test
Michael Rash [Sat, 24 Mar 2012 01:58:19 +0000]
added IPv4 ICMP type/code validation test

2 years agoICMP6 type/code validation test, perl warnings test
Michael Rash [Sat, 24 Mar 2012 01:09:38 +0000]
ICMP6 type/code validation test, perl warnings test

2 years agoadded ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code...
Michael Rash [Sat, 24 Mar 2012 01:08:59 +0000]
added ipv6_invalid_icmp6_type_code file for test suite support for ICMP6 type/code validation

2 years agobugfix for uninitialized variable in ICMP6 validation reporting
Michael Rash [Sat, 24 Mar 2012 01:07:41 +0000]
bugfix for uninitialized variable in ICMP6 validation reporting

2 years agovalidate ICMP6 type+code fields
Michael Rash [Fri, 23 Mar 2012 03:00:00 +0000]
validate ICMP6 type+code fields

2 years agocopy original psad.conf before install and restore at conclusion
Michael Rash [Fri, 23 Mar 2012 00:41:08 +0000]
copy original psad.conf before install and restore at conclusion

2 years agomove icmp validation code out of Snort rules comparision
Michael Rash [Fri, 23 Mar 2012 00:27:37 +0000]
move icmp validation code out of Snort rules comparision

For better performance and correctness, moved icmp type/code validation code out
of Snort rule comparision routine.  Added icmp validation output to --Analyze
mode output.  Disabled DNS lookups in -A mode by default, but added --dns-analysis
command line arg to provide an override.

2 years agoadded --install-root and --install-test-dir options to --help output
Michael Rash [Fri, 23 Mar 2012 00:26:53 +0000]
added --install-root and --install-test-dir options to --help output

2 years agoadded the ability to read iptables packet data from a file with -m in --Benchmark...
Michael Rash [Wed, 21 Mar 2012 01:15:38 +0000]
added the ability to read iptables packet data from a file with -m in --Benchmark mode

2 years agoadded IPv6 abbreviated format test
Michael Rash [Sun, 18 Mar 2012 17:43:48 +0000]
added IPv6 abbreviated format test

2 years agobugfix to honor audo_dl lines with IPv6 addresses
Michael Rash [Sun, 18 Mar 2012 17:32:13 +0000]
bugfix to honor audo_dl lines with IPv6 addresses

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sun, 18 Mar 2012 02:00:09 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded --test-mode so that fw check emails are not sent, debug is enabled, and is_loca...
Michael Rash [Sat, 17 Mar 2012 19:50:00 +0000]
added --test-mode so that fw check emails are not sent, debug is enabled, and is_local() always returns false

2 years agoadded enable_ack_detection.conf file
Michael Rash [Sat, 17 Mar 2012 19:48:55 +0000]
added enable_ack_detection.conf file

2 years agoadded IPv6 TCP connect() test
Michael Rash [Sat, 17 Mar 2012 18:11:30 +0000]
added IPv6 TCP connect() test

2 years agoadded TCP NULL scan test
Michael Rash [Sat, 17 Mar 2012 18:00:07 +0000]
added TCP NULL scan test

2 years agoadded NULL scan test
Michael Rash [Sat, 17 Mar 2012 01:31:01 +0000]
added NULL scan test

2 years agoadded FIN, XMAS, and ACK scan tests
Michael Rash [Sat, 17 Mar 2012 01:12:01 +0000]
added FIN, XMAS, and ACK scan tests

2 years agobugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)
Michael Rash [Fri, 16 Mar 2012 00:44:20 +0000]
bugfix in psad to honor IGNORE_PROTOCOLS keyword (found by corresponding tests)

2 years agoupdated to remove kmsgsd discussion since kmsgsd is basically deprecated at this...
Michael Rash [Fri, 16 Mar 2012 00:41:40 +0000]
updated to remove kmsgsd discussion since kmsgsd is basically deprecated at this point

2 years agominor config file comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:43:37 +0000]
minor config file comment typo fixes

2 years agominor comment typo fixes
Michael Rash [Wed, 14 Mar 2012 01:23:44 +0000]
minor comment typo fixes

2 years agoadded auto_dl 5 tests
Michael Rash [Wed, 14 Mar 2012 01:17:02 +0000]
added auto_dl 5 tests

2 years agoadded SYN scan and UDP scan tests
Michael Rash [Wed, 14 Mar 2012 00:43:12 +0000]
added SYN scan and UDP scan tests

2 years agoupdated default INSTALL_ROOT path to the test/ directory install path test/psad-install
Michael Rash [Wed, 14 Mar 2012 00:38:41 +0000]
updated default INSTALL_ROOT path to the test/ directory install path test/psad-install

2 years agobugfix in variable expansion routine to ensure expansion of multiple sub-vars
Michael Rash [Wed, 14 Mar 2012 00:37:44 +0000]
bugfix in variable expansion routine to ensure expansion of multiple sub-vars

2 years agoAdded the ability to install at custom location
Michael Rash [Tue, 13 Mar 2012 01:34:03 +0000]
Added the ability to install at custom location

This commit adds the ability to install psad at a custom location via the
--install-root <root> command line argument to install.pl.  This feature
was suggested by @pyllyukko.  In addition, psad can be installed by a
normal user instead requiring root.

2 years agoadditional basic operations tests, next up: scan tests
Michael Rash [Mon, 12 Mar 2012 02:41:17 +0000]
additional basic operations tests, next up: scan tests

2 years agoadded test suite scans/ directory
Michael Rash [Mon, 12 Mar 2012 02:38:55 +0000]
added test suite scans/ directory

2 years agoadded test suite via the test/ directory
Michael Rash [Sun, 11 Mar 2012 02:40:04 +0000]
added test suite via the test/ directory

2 years agobug fix to ensure the psadfifo file is not created unless is true
Michael Rash [Sun, 11 Mar 2012 01:44:46 +0000]
bug fix to ensure the psadfifo file is not created unless  is true

2 years agoadded PERL5LIB env variable so module installs can reference the current install...
Michael Rash [Sat, 10 Mar 2012 02:36:43 +0000]
added PERL5LIB env variable so module installs can reference the current install path, minor 'die' statement update to remove newlines

2 years agoadded support for ip6tables policy default log and drop rule detection
Michael Rash [Fri, 9 Mar 2012 02:44:12 +0000]
added support for ip6tables policy default log and drop rule detection

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:40:43 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agoupdated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1
Michael Rash [Fri, 9 Mar 2012 02:39:09 +0000]
updated to IPTables::ChainMgr 1.2 and IPTables::Parse 1.1

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Tue, 21 Feb 2012 01:57:02 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

2 years agominor comment updates (header material)
Michael Rash [Tue, 21 Feb 2012 01:54:23 +0000]
minor comment updates (header material)

2 years agoupdated Unix::Syslog to 1.1 from CPAN
Michael Rash [Fri, 10 Feb 2012 16:37:43 +0000]
updated Unix::Syslog to 1.1 from CPAN

2 years agofix 'qw(...) usage as parenthesis' warnings for perl > 5.14
Michael Rash [Sat, 14 Jan 2012 19:11:05 +0000]
fix 'qw(...) usage as parenthesis' warnings for perl > 5.14

2 years agoadded ip6tables policy dump to --fw-dump mode
Michael Rash [Fri, 23 Dec 2011 21:33:05 +0000]
added ip6tables policy dump to --fw-dump mode

2 years agobumped version to 3.0-pre1 psad-3.0-pre1
Michael Rash [Wed, 14 Dec 2011 02:51:22 +0000]
bumped version to 3.0-pre1