3 years agobumped version to 3.0-pre1 psad-3.0-pre1
Michael Rash [Wed, 14 Dec 2011 02:51:22 +0000]
bumped version to 3.0-pre1

3 years agobug fix to parse iptables syslog date into a proper numeric time
Michael Rash [Wed, 14 Dec 2011 02:49:50 +0000]
bug fix to parse iptables syslog date into a proper numeric time

3 years agominor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets
Michael Rash [Wed, 14 Dec 2011 01:28:46 +0000]
minor bug fix to call older passive OS fingerprinting routine for non-IPv6 packets

3 years agointerim commit to maintain better separation between IPv4 and IPv6 passive OS fingerp...
Michael Rash [Tue, 13 Dec 2011 02:00:39 +0000]
interim commit to maintain better separation between IPv4 and IPv6 passive OS fingerprinting code

3 years agoAdded MAX_SCAN_IP_PAIRS
Michael Rash [Sat, 10 Dec 2011 19:49:21 +0000]

Thic commit allows psad memory usage to be constrained by restricting the
number of unique IP pairs that psad tracks via a new config variable
MAX_SCAN_IP_PAIRS.  This is useful for when psad is deployed on systems with
little memory, and is best utilized in conjunction with disabling
ENABLE_PERSISTENCE so that old scans will also be deleted (and thereby making
room for tracking new scans under the MAX_SCAN_IP_PAIRS threshold).

3 years agoreworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variabl...
Michael Rash [Sat, 10 Dec 2011 17:53:23 +0000]
reworked how old scans are deleted, and added a new PERSISTENCE_CTR_THRESHOLD variable to control this

3 years agoupdate to not collect err packets in --no-ipt-errors mode
Michael Rash [Sat, 10 Dec 2011 15:37:25 +0000]
update to not collect err packets in --no-ipt-errors mode

3 years agoCompleted conversion to NetAddr::IP module
Michael Rash [Fri, 9 Dec 2011 20:40:26 +0000]
Completed conversion to NetAddr::IP module

This commit completes the conversion to the NetAddr::IP module for all IP
address comparisions.  Also re-worked Snort keyword matching to maximize

3 years agoadded the deps/NetAddr-IP directory
Michael Rash [Tue, 6 Dec 2011 01:52:15 +0000]
added the deps/NetAddr-IP directory

3 years agomade --packets apply to --Analyze mode, man page doc fixes relative to the old psadfi...
Michael Rash [Tue, 6 Dec 2011 01:46:33 +0000]
made --packets apply to --Analyze mode, man page doc fixes relative to the old psadfifo file

3 years agoRemoved Net::IPv4Addr module for NetAddr:IP replacement
Michael Rash [Mon, 1 Aug 2011 01:23:28 +0000]
Removed Net::IPv4Addr module for NetAddr:IP replacement

The Net::IPv4Addr module does not handle IPv6 addresses, and so it will be
replaced with the NetAddr:IP module.

3 years agoAdded code to separate ipv4 vs. ipv6 p0f attempts
Michael Rash [Sat, 30 Jul 2011 02:15:12 +0000]
Added code to separate ipv4 vs. ipv6 p0f attempts

There are not yet any IPv6 fingerprints for p0f, so psad needs to ensure that
its p0f implementation over iptables log messages is restricted to IPv4
packets.  This change will make it easier to integrate an IPv6 implementation
of p0f as well.

3 years agoRenamed ChangeLog -> ChangeLog.old
Michael Rash [Wed, 27 Jul 2011 02:42:33 +0000]
Renamed ChangeLog -> ChangeLog.old

Renamed the original ChangeLog -> ChangeLog.old and replace it with output from
'git log'.

3 years agoUpdated to the latest p0f signatures from OpenBSD
Michael Rash [Wed, 27 Jul 2011 00:54:24 +0000]
Updated to the latest p0f signatures from OpenBSD

Updated to the latest p0f signatures in the pf.os file from the OpenBSD

3 years agoBug fix for scan sources reported as destinations
Michael Rash [Wed, 27 Jul 2011 00:41:35 +0000]
Bug fix for scan sources reported as destinations

In the /var/log/psad/<ip>/ directories, whois information is stored in the
<IP>_whois files, the IP in the filename was included as a destination IP under
the psad -S output.  This commit fixes this bug.  Here is an example of the
invalid output:

[+] IP Status Detail:

SRC:, DL: 2, Dsts: 2, Pkts: 1, Unique sigs: 1, Email alerts: 1

    DST:, Local IP
        Scanned ports: TCP 1433, Pkts: 1, Chain: INPUT, Intf: eth0
        Signature match: "MISC Microsoft SQL Server communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205

3 years agoAdded 'udplite' as a supported protocol
Michael Rash [Wed, 27 Jul 2011 00:38:52 +0000]
Added 'udplite' as a supported protocol

iptables can produce log message for the udplite protocol (IP protocol 136),
and this commit starts to work in udplite support after such messages have
been parsed.

3 years agoAdded the ENABLE_IPV6_DETECTION variable
Michael Rash [Tue, 26 Jul 2011 02:13:09 +0000]
Added the ENABLE_IPV6_DETECTION variable

The ENABLE_IPV6_DETECTION variable controls whether psad will parse or ignore
IPv6 iptables log messages.  This is enabled by default.

3 years agoMake ENABLE_* vars accept case-insensitive values
Michael Rash [Tue, 26 Jul 2011 02:09:11 +0000]
Make ENABLE_* vars accept case-insensitive values

Allow ENABLE_* psad.conf variables to have values like 'y', 'n', 'Yes', 'No',

3 years agoBug fix for ICMP time exceeded packets for TCP
Michael Rash [Tue, 26 Jul 2011 01:42:57 +0000]
Bug fix for ICMP time exceeded packets for TCP

TCP connections can be met with ICMP time exceeded messages, and this fix
ensures that they are recognized.  Here is an example of such a message:

Jan 24 23:21:46 minastirith kernel: [711473.921049] DROP IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:24:ea:81:08:00 SRC= DST= LEN=355 TOS=0x00 Jan 25 11:31:32 minastirith kernel: [755260.336492] DROP INVALID IN=eth0 OUT= MAC=00:13:46:3a:41:36:00:01:5c:24:ea:81:08:00 SRC= DST= LEN=56 TOS=0x00 PREC=0x20 TTL=240 ID=11594 PROTO=ICMP TYPE=11 CODE=0 [SRC= DST= LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=18273 MF PROTO=TCP INCOMPLETE [8 bytes] ]

3 years agoAdded call to get_connected_subnets() in -A mode.
Michael Rash [Tue, 26 Jul 2011 01:17:24 +0000]
Added call to get_connected_subnets() in -A mode.

Make sure to get local networks in --Analyze mode for is_local() checks.

3 years agoBugfix introduced by edc028d46d83cd3f6952e0dde99ebd731366a2f6
Michael Rash [Tue, 26 Jul 2011 01:07:20 +0000]
Bugfix introduced by edc028d46d83cd3f6952e0dde99ebd731366a2f6

Bugfix to make sure that protocol counters are written to the counters file
via the proper filehandle.

3 years agoMinor wording update for syslog messages parsing
Michael Rash [Tue, 26 Jul 2011 01:00:29 +0000]
Minor wording update for syslog messages parsing

Minor documentation update to better describe the default parsing behavior of
psad (non-usage of the psadfifo and kmsgsd by default).

3 years agoMinor update Netfilter -> iptables wording
Michael Rash [Tue, 26 Jul 2011 00:27:55 +0000]
Minor update Netfilter -> iptables wording

It is more proper to refer to iptables in the context of psad operations, so
changed all "Netfilter" references to "iptables".

3 years agoMinor change to rework global protocol counters
Michael Rash [Mon, 25 Jul 2011 02:06:54 +0000]
Minor change to rework global protocol counters

Minor restructuring to be able to more easily support protocols that are
logged via iptables via a 'defined' check on a global protocol tracking

3 years agoMinor filehandle warning bug fix.
Michael Rash [Sun, 24 Jul 2011 19:54:28 +0000]
Minor filehandle warning bug fix.

perl likes to generate warnings like the one seen below if the STDOUT or STDERR
filehandles are closed when going into daemon mode and other filehandles are
used.  This change removes closing these filehandles when psad is run as a

Sun Jul 24 14:27:44 2011 psad v2.1.8-pre2 pid: 11675 Filehandle STDOUT reopened as F only for input at /usr/sbin/psad line 9924.

3 years agoMinor update in filehandle usage for mail messages
Michael Rash [Sat, 23 Jul 2011 14:39:17 +0000]
Minor update in filehandle usage for mail messages

Minor change to try and avoid the following warning messages logged to

Sun Nov 28 12:09:44 2010 psad v2.1.8-pre1 (file rev: 2309) pid: 1600 Filehandle STDERR reopened as F only for input at /usr/sbin/psad line 9756.

It is likely that other changes will be necessary in order to completely stop
these messages.

3 years agoImplemented parsing support for IPv6 via ip6tables
Michael Rash [Sat, 23 Jul 2011 14:18:56 +0000]
Implemented parsing support for IPv6 via ip6tables

This is the first major commit for IPv6 support, and starts with the ability to
parse IPv6 log messages for the following protocols: TCP, UDP, UDPLITE, and
ICMP6.  Scans and signature matches are not yet detected, but that is coming
soon.  Here are a few example ip6tables logging messages that psad now

Jul 21 19:07:39 minastirith kernel: [1912155.755862] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=59 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=35186 DPT=12345 LEN=19
Jul 21 19:07:39 minastirith kernel: [1912155.755921] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=107 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=1 CODE=4 [SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=59 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=35186 DPT=12345 LEN=19 ]
Jul 21 19:07:40 minastirith kernel: [1912156.845421] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=21264 SEQ=1
Jul 21 19:07:40 minastirith kernel: [1912156.845478] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=21264 SEQ=1
Jul 21 19:08:15 minastirith kernel: [1912191.806437] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=32752 RES=0x00 SYN URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.806509] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=32728 RES=0x00 ACK SYN URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.806570] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.835221] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=111 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=256 RES=0x00 ACK PSH URGP=0
Jul 21 19:08:15 minastirith kernel: [1912191.835292] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.391506] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK FIN URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.392596] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=55551 WINDOW=256 RES=0x00 ACK FIN URGP=0
Jul 21 19:08:17 minastirith kernel: [1912194.392678] IPv6 Packet IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0001 DST=0000:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=55551 DPT=22 WINDOW=256 RES=0x00 ACK URGP=0

3 years agoMoved running as root check into is_root()
Michael Rash [Wed, 13 Jul 2011 02:07:29 +0000]
Moved running as root check into is_root()

Minor update to put the running as root check into a new is_root() function.

3 years agoMinor copyright update
Michael Rash [Wed, 13 Jul 2011 02:05:12 +0000]
Minor copyright update

Updated the copyright date to 2011.

3 years agoMinor variable initialization update
Michael Rash [Wed, 13 Jul 2011 02:02:30 +0000]
Minor variable initialization update

Minor change to make sure to initialize a few global variables.

3 years agoRemoved "$Id$" tags (meaningless for git)
Michael Rash [Fri, 17 Jun 2011 11:59:29 +0000]
Removed "$Id$" tags (meaningless for git)

All "$Id$" expansion tags were removed since they were a hold-over from the
svn days.  This also meant that the "file revision: <N>" output for "psad -V"
was removed too.

4 years agominor comment bug fix
Michael Rash [Wed, 29 Dec 2010 01:28:27 +0000]
minor comment bug fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2315 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.8-pre2
Michael Rash [Thu, 25 Nov 2010 18:01:57 +0000]
bumped version to 2.1.8-pre2

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2313 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Altered the 'ET MALWARE Bundleware Spyware CHM Download' Snort rule in
Michael Rash [Thu, 25 Nov 2010 18:01:43 +0000]
- Altered the 'ET MALWARE Bundleware Spyware CHM Download' Snort rule in
the bundled Emerging Threats rule set to make sure that ClamAV does not
flag on the pattern "mhtml\:file\://" which is associated with the
following ClamAV signature:

$ grep Exploit.HTML.MHTRedir-8 main.ndb

An analysis of this issue was posted here:

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2312 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Bug fix for ICMP packet handling where psad would incorrectly interpret
Michael Rash [Thu, 25 Nov 2010 16:02:29 +0000]
- Bug fix for ICMP packet handling where psad would incorrectly interpret
  ICMP port unreachable messages as UDP packets because the UDP specifics
  are included in the iptables log message.  This bug was first reported by
  Lukas Baxa to the Debian maintainers and was followed up by Franck

  An example ICMP log message that exposed the bug is included below:

  Sep  8 18:04:26 baxic kernel: [28241.572876] IN_DROP IN=wlan0
  OUT= MAC=00:1a:9f:91:df:ae:00:21:27:e8:0a:a0:08:00
  SRC= DST= LEN=96 TOS=0x00 PREC=0xC0 TTL=254
  [SRC= DST= LEN=68 TOS=0x00 PREC=0x00 TTL=0
  ID=22458 PROTO=UDP SPT=35080 DPT=33434 LEN=48 ]

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2311 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.8-pre1
Michael Rash [Sat, 7 Aug 2010 12:50:18 +0000]
bumped version to 2.1.8-pre1

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2309 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor date update
Michael Rash [Sat, 7 Aug 2010 12:49:55 +0000]
minor date update

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2308 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agochanged all instances of 'href' to 'hr'
Michael Rash [Sat, 7 Aug 2010 12:49:18 +0000]
changed all instances of 'href' to 'hr'

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2307 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agoupdated to whois-5.0.6
Michael Rash [Wed, 28 Jul 2010 02:45:39 +0000]
updated to whois-5.0.6

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2306 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agoupdated to whois-5.0.6
Michael Rash [Wed, 28 Jul 2010 02:44:29 +0000]
updated to whois-5.0.6

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2305 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agoChanged all '_aref' instances to '_ar'
Michael Rash [Thu, 15 Jul 2010 03:42:11 +0000]
Changed all '_aref' instances to '_ar'

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2304 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor typo fix
Michael Rash [Wed, 14 Jul 2010 23:06:00 +0000]
minor typo fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2303 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor whois comment update
Michael Rash [Wed, 14 Jul 2010 22:45:45 +0000]
minor whois comment update

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2302 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agopsad-2.1.7 release
Michael Rash [Wed, 14 Jul 2010 21:52:07 +0000]
psad-2.1.7 release

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2298 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Updated psad to issues whois lookups against IP addresses that are not
Michael Rash [Wed, 14 Jul 2010 21:02:07 +0000]
- Updated psad to issues whois lookups against IP addresses that are not
directly connected to the local system.  This is useful for example when
an internal system is scanning an external destination system, and the
scan is logged in the FORWARD chain.  Issuing whois lookups on the
internal system (frequently on RFC 1918 address space) is not usually
very useful, but issuing the whois lookup against the destination system
gives much more interesting data.  This feature can be disabled with the

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2297 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in
Michael Rash [Wed, 14 Jul 2010 15:00:07 +0000]
- Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in
whois data (which is common with whois lookups against Chinese IP
addresses for example) with the string "NA".  This option is disabled by
default, but can be useful if errors like the following are seen upon

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2296 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.7-pre1
Michael Rash [Mon, 12 Jul 2010 01:06:13 +0000]
bumped version to 2.1.7-pre1

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2294 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago(Dan A. Dickey) Added the ability to use the "ip" command from the
Michael Rash [Mon, 12 Jul 2010 01:05:46 +0000]
(Dan A. Dickey) Added the ability to use the "ip" command from the
iproute2 tools to acquire IP addresses from local interfaces.  Dan's
description is as follows: "...A main reason for doing this is in the
case of multi-homed hosts. ifconfig sets these up on an interface using
aliases, iproute2 does not.  So, for a multi-homed interface (eth0 with
multiple addresses), ifconfig -a only shows the first one configured and
not the rest.  ip addr shows all of the configured addresses...".

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2293 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agoupdated RPM spec files for the 2.1.6 release
Michael Rash [Fri, 9 Jul 2010 19:27:52 +0000]
updated RPM spec files for the 2.1.6 release

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2289 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agopsad-2.1.6 release date
Michael Rash [Fri, 9 Jul 2010 19:23:46 +0000]
psad-2.1.6 release date

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2288 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agoadded ChangeLog detail to the Decode_Month() bug (specifically the error message...
Michael Rash [Fri, 9 Jul 2010 11:49:29 +0000]
added ChangeLog detail to the Decode_Month() bug (specifically the error message itself)

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2287 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor bug fix in legacy code to reference the selected syslog.conf for existance...
Michael Rash [Thu, 8 Jul 2010 11:47:19 +0000]
minor bug fix in legacy code to reference the selected syslog.conf for existance problems

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2286 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agobumped version to 2.1.6
Michael Rash [Thu, 8 Jul 2010 00:18:16 +0000]
bumped version to 2.1.6

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2285 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agominor ChangeLog update
Michael Rash [Thu, 8 Jul 2010 00:16:29 +0000]
minor ChangeLog update

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2284 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years agotagged psad-2.1.6-pre4
Michael Rash [Fri, 2 Jul 2010 01:02:53 +0000]
tagged psad-2.1.6-pre4

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2282 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

4 years ago- Bug fix for Decode_Month() call in DShield processing code to ensure
Michael Rash [Fri, 2 Jul 2010 01:02:04 +0000]
- Bug fix for Decode_Month() call in DShield processing code to ensure
proper month handling for iptables log message time stamps.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2281 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agoapplied man page spelling fix from Franck
Michael Rash [Tue, 2 Feb 2010 03:42:59 +0000]
applied man page spelling fix from Franck

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2280 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor spaces fix
Michael Rash [Tue, 2 Feb 2010 03:39:06 +0000]
minor spaces fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2279 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor copyright update
Michael Rash [Wed, 23 Dec 2009 02:13:47 +0000]
minor copyright update

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2278 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor formatting fix
Michael Rash [Wed, 2 Dec 2009 01:47:57 +0000]
minor formatting fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2277 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor wording fix
Michael Rash [Sat, 14 Nov 2009 03:17:33 +0000]
minor wording fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2276 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor wording fix (found by Simon)
Michael Rash [Sat, 14 Nov 2009 03:16:28 +0000]
minor wording fix (found by Simon)

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2275 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agominor usage() dashes fix
Michael Rash [Sat, 5 Sep 2009 18:56:06 +0000]
minor usage() dashes fix

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2274 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agoFor all RPM's built on the local system (Ubuntu for now), updated to reference the
Michael Rash [Sat, 5 Sep 2009 18:55:49 +0000]
For all RPM's built on the local system (Ubuntu for now), updated to reference the
"-nobuildreqs.spec" file so that the "BuildRequires: perl-ExtUtils-MakeMaker" directive
is not used.  Using this results in the following error on an Ubuntu system where no
software is installed/upgrade with RPM:

rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
error: cannot open Packages index using db3 - No such file or directory (2)
error: cannot open Packages database in /var/lib/rpm

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2273 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agoFor all RPM's built on the local system (Ubuntu for now), updated to reference the
Michael Rash [Sat, 5 Sep 2009 18:55:39 +0000]
For all RPM's built on the local system (Ubuntu for now), updated to reference the
"-nobuildreqs.spec" file so that the "BuildRequires: perl-ExtUtils-MakeMaker" directive
is not used.  Using this results in the following error on an Ubuntu system where no
software is installed/upgrade with RPM:

rpm: To install rpm packages on Debian systems, use alien. See README.Debian.
error: cannot open Packages index using db3 - No such file or directory (2)
error: cannot open Packages database in /var/lib/rpm

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2272 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agoapplied update patch to the psad.SlackBuild file from pyllyukko
Michael Rash [Thu, 3 Sep 2009 02:18:57 +0000]
applied update patch to the psad.SlackBuild file from pyllyukko

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2271 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years agoupdated to include Sourcefire trademark mention
Michael Rash [Thu, 30 Jul 2009 06:11:13 +0000]
updated to include Sourcefire trademark mention

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2270 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

5 years ago(Franc Joncourt) Found psad man page section errors with manpage-alert.
Michael Rash [Thu, 30 Jul 2009 06:10:52 +0000]
(Franc Joncourt) Found psad man page section errors with manpage-alert.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2269 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agobumped version to 2.1.6-pre3
Michael Rash [Wed, 1 Apr 2009 03:49:02 +0000]
bumped version to 2.1.6-pre3

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2267 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago(Franck Joncourt) finished off the --Override-config code for kmsgsd and HUP signal...
Michael Rash [Wed, 1 Apr 2009 03:48:41 +0000]
(Franck Joncourt) finished off the --Override-config code for kmsgsd and HUP signal handling, and added man page updates as well

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2266 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agobumped version to 2.1.6-pre2
Michael Rash [Sat, 28 Mar 2009 14:09:49 +0000]
bumped version to 2.1.6-pre2

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2264 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- (Franck Joncourt) Added --Override-config feature so that alternate
Michael Rash [Sat, 28 Mar 2009 14:09:34 +0000]
- (Franck Joncourt) Added --Override-config feature so that alternate
configuration files can be specified on the command line to override
configuration variables in the standard /etc/psad/psad.conf file.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2263 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agobumped version to 2.1.6-pre1
Michael Rash [Tue, 24 Mar 2009 03:10:34 +0000]
bumped version to 2.1.6-pre1

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2261 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- (Franck Joncourt) Submitted patches to fix stderr redirection for the
Michael Rash [Tue, 24 Mar 2009 03:09:35 +0000]
- (Franck Joncourt) Submitted patches to fix stderr redirection for the
usage of the mail binary, and to close stdout, stdin, and stderr when
running psad as a daemon.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2260 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agominor quoting update for mail command execution
Michael Rash [Sun, 22 Mar 2009 12:33:59 +0000]
minor quoting update for mail command execution

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2259 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded Miroslav Grepl
Michael Rash [Sat, 21 Feb 2009 04:47:04 +0000]
added Miroslav Grepl

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2258 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agopsad-2.1.5 release
Michael Rash [Sat, 21 Feb 2009 04:29:50 +0000]
psad-2.1.5 release

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2253 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- Updated IPTables::Parse to 0.7.
Michael Rash [Sat, 21 Feb 2009 04:25:42 +0000]
- Updated IPTables::Parse to 0.7.
- Updated IPTables::ChainMgr to 0.9.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2252 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- Bug fix when ENABLE_SYSLOG_FILE is enabled to run a preliminary regex
Michael Rash [Sat, 21 Feb 2009 04:22:05 +0000]
- Bug fix when ENABLE_SYSLOG_FILE is enabled to run a preliminary regex
match on each syslog message because kmsgsd is not running and therefore
has not gone through the kmsgsd tests for a properly structured iptables

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2251 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agominor wording update for SELinux policy path
Michael Rash [Sat, 21 Feb 2009 02:44:49 +0000]
minor wording update for SELinux policy path

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2250 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago(Miroslav Grepl) Contributed policy file to make psad compatible with SELinux.
Michael Rash [Sat, 24 Jan 2009 21:42:40 +0000]
(Miroslav Grepl) Contributed policy file to make psad compatible with SELinux.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2249 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoupdated man page to remove confusing tab chars in syslog.conf psadfifo line
Michael Rash [Sat, 24 Jan 2009 21:38:35 +0000]
updated man page to remove confusing tab chars in syslog.conf psadfifo line

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2248 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agominor comment update to psad.conf
Michael Rash [Sun, 26 Oct 2008 22:58:35 +0000]
minor comment update to psad.conf

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2247 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoversion 2.1.5-pre3
Michael Rash [Tue, 14 Oct 2008 11:43:06 +0000]
version 2.1.5-pre3

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2245 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- Bug fix for local server ports not reported correctly under netstat
Michael Rash [Tue, 14 Oct 2008 11:42:43 +0000]
- Bug fix for local server ports not reported correctly under netstat
parsing (Franck Joncourt).

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2244 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded check for the 'auto' directory in order to import all appropriate perl module...
Michael Rash [Sun, 31 Aug 2008 13:46:47 +0000]
added check for the 'auto' directory in order to import all appropriate perl module directories

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2243 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoApplied patch from Franck Joncourt to fix missing check for the 'mail' command
Michael Rash [Sun, 31 Aug 2008 13:45:23 +0000]
Applied patch from Franck Joncourt to fix missing check for the 'mail' command

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2242 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agobumped version to 2.1.5-pre2
Michael Rash [Fri, 29 Aug 2008 04:13:04 +0000]
bumped version to 2.1.5-pre2

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2240 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agodash fixes from Franck
Michael Rash [Fri, 29 Aug 2008 04:11:50 +0000]
dash fixes from Franck

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2239 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agodash fixes from Franck
Michael Rash [Fri, 29 Aug 2008 04:09:32 +0000]
dash fixes from Franck

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2238 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded fwcheck_psad.8 file
Michael Rash [Fri, 29 Aug 2008 04:06:20 +0000]
added fwcheck_psad.8 file

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2237 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agobumped version to 2.1.5-pre1
Michael Rash [Wed, 27 Aug 2008 00:08:56 +0000]
bumped version to 2.1.5-pre1

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2235 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years ago- (Steve B) Submitted patch to fix a bug in the start() function in the
Michael Rash [Wed, 27 Aug 2008 00:08:36 +0000]
- (Steve B) Submitted patch to fix a bug in the start() function in the
Gentoo init script which caused psad to not be started and the error
"* ERROR: psad failed to start" to be generated.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2234 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoapplied 'auto' heuristic from the fwknop project for finding perl module import subdi...
Michael Rash [Wed, 27 Aug 2008 00:08:17 +0000]
applied 'auto' heuristic from the fwknop project for finding perl module import subdirectories

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2233 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded deps/ blurb for Franck
Michael Rash [Fri, 22 Aug 2008 03:48:43 +0000]
added deps/ blurb for Franck

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2232 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoupdated 2.1.4 release date
Michael Rash [Fri, 22 Aug 2008 03:31:23 +0000]
updated 2.1.4 release date

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2226 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoversion 2.1.4
Michael Rash [Fri, 22 Aug 2008 03:30:59 +0000]
version 2.1.4

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2225 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoupdated RPM release date
Michael Rash [Fri, 22 Aug 2008 03:29:55 +0000]
updated RPM release date

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2224 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded --no-deps support
Michael Rash [Fri, 22 Aug 2008 03:29:05 +0000]
added --no-deps support

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2223 91a0a83b-1414-0410-bf9a-c3dbc33e90b6

6 years agoadded blurb to ChangeLog about switching to the emerging-all.rules file
Michael Rash [Sat, 16 Aug 2008 14:05:18 +0000]
added blurb to ChangeLog about switching to the emerging-all.rules file

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2222 91a0a83b-1414-0410-bf9a-c3dbc33e90b6