Your message dated Mon, 22 Feb 2010 22:07:15 +0000
with message-id <[email protected]>
and subject line Bug#567897: fixed in psad 2.1.5-3
has caused the Debian Bug report #567897,
regarding psad: cobwebby package description
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
567897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567897
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: psad
Version: 2.1.5
Severity: wishlist
Tags: patch
PSAD's package description could do with some attention.
First, it thinks the latest version of Linux is 2.4.x, and claims to
support 2.2.x - in fact 2.4 is officially unsupported on oldstable.
Second, it has a rather hard to follow list of (lists of) features.
I've tried to tidy it into a clear bulleted list; if I've chopped it
up wrongly, my apologies, but that's more evidence it needs fixing.
And third, it claims to incorporate Snort signatures. The NEWS file
says those were thrown out a while ago.
Here's a more nitpicky package description review - don't bother
reading it if I've already convinced you to accept the patch!
> HomePage: http://www.cipherdyne.org/psad/
(That camelcase is unconventional, but should be harmless. So I
don't know why psad's PTS page doesn't show a link...)
> Package: psad
> Architecture: any
(Does the dependency on iptables save it from needing to specify
"except the kfreebsd-* release arches"?)
>[...]
> Description: The Port Scan Attack Detector
This is close to the style recommended by the Developers Reference,
but it would be closer without the capitalised definite article.
> PSAD is a collection of four lightweight system daemons written in
> Perl and in C that is designed to work with Linux firewalling code
> (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels)
So just say "with iptables", and drop all the references to 2.2/2.4
and ipchains/iptables throughout.
> to detect port scans. It features a set of highly configurable danger
(1)
> thresholds (with sensible defaults provided), verbose alert messages
(2)
> that include the source, destination, scanned port range, begin and
(2a) (2b) (2c) (2d)
> end times, tcp flags and corresponding nmap options (Linux 2.4.x
(2d') (2e) (2e'? No, 2f?)
> kernels only), reverse DNS info, email alerting, and automatic
(2g? No, 3!) (4) (5)
> blocking of offending ip addresses via dynamic configuration of
> ipchains/iptables firewall rulesets.
Plus some miscellaneous tweaks, such as using the shift key more for
Nmap, TCP, and IP (but fwsnort seems to be canonically lowercase).
> .
> In addition, for the 2.4.x kernels psad incorporates many
> of the tcp signatures included in Snort to detect highly suspect scans
> for:
> [...]
Discard all this; instead I've taken some text from the upstream
website. My patch has this instead:
Description: Port Scan Attack Detector
PSAD is a collection of four lightweight system daemons (in Perl and
C) designed to work with iptables to detect port scans. It features:
* a set of highly configurable danger thresholds (with sensible
defaults provided);
* verbose alert messages that include the source, destination,
scanned port range, beginning and end times, TCP flags, and
corresponding Nmap options;
* reverse DNS information;
* alerts via email;
* automatic blocking of offending IP addresses via dynamic firewall
configuration.
.
When combined with fwsnort and the Netfilter string match extension,
PSAD is capable of detecting many attacks described in the Snort rule
set that involve application layer data.
--
JBR
Ankh kak! (Ancient Egyptian blessing)
diff -ru psad-2.1.5.pristine/debian/control psad-2.1.5/debian/control
--- psad-2.1.5.pristine/debian/control 2010-01-31 23:33:53.000000000 +0000
+++ psad-2.1.5/debian/control 2010-02-01 00:40:00.000000000 +0000
@@ -6,7 +6,7 @@
Build-Depends: debhelper (>= 7), quilt
Standards-Version: 3.8.3
-HomePage: http://www.cipherdyne.org/psad/
+Homepage: http://www.cipherdyne.org/psad/
Package: psad
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends}, ${perl:Depends},
@@ -17,23 +17,19 @@
Recommends: bastille
Suggests: fwsnort
Conflicts: bastille (<< 1:1.3.0-4)
-Description: The Port Scan Attack Detector
- PSAD is a collection of four lightweight system daemons written in
- Perl and in C that is designed to work with Linux firewalling code
- (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels)
- to detect port scans. It features a set of highly configurable danger
- thresholds (with sensible defaults provided), verbose alert messages
- that include the source, destination, scanned port range, begin and
- end times, tcp flags and corresponding nmap options (Linux 2.4.x
- kernels only), reverse DNS info, email alerting, and automatic
- blocking of offending ip addresses via dynamic configuration of
- ipchains/iptables firewall rulesets.
+Description: Port Scan Attack Detector
+ PSAD is a collection of four lightweight system daemons (in Perl and
+ C) designed to work with iptables to detect port scans. It features:
+ * a set of highly configurable danger thresholds (with sensible
+ defaults provided);
+ * verbose alert messages that include the source, destination,
+ scanned port range, beginning and end times, TCP flags, and
+ corresponding Nmap options;
+ * reverse DNS information;
+ * alerts via email;
+ * automatic blocking of offending IP addresses via dynamic firewall
+ configuration.
.
- In addition, for the 2.4.x kernels psad incorporates many
- of the tcp signatures included in Snort to detect highly suspect scans
- for:
- .
- * various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven)
- * DDoS tools (mstream, shaft)
- * advanced port scans (syn, fin, xmas) such as those made with nmap
- .
+ When combined with fwsnort and the Netfilter string match extension,
+ PSAD is capable of detecting many attacks described in the Snort rule
+ set that involve application layer data.
--- End Message ---
--- Begin Message ---
Source: psad
Source-Version: 2.1.5-3
We believe that the bug you reported is fixed in the latest version of
psad, which is due to be installed in the Debian FTP archive:
psad_2.1.5-3.debian.tar.gz
to main/p/psad/psad_2.1.5-3.debian.tar.gz
psad_2.1.5-3.dsc
to main/p/psad/psad_2.1.5-3.dsc
psad_2.1.5-3_amd64.deb
to main/p/psad/psad_2.1.5-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Franck Joncourt <[email protected]> (supplier of updated psad package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 13 Feb 2010 20:10:12 +0100
Source: psad
Binary: psad
Architecture: source amd64
Version: 2.1.5-3
Distribution: unstable
Urgency: low
Maintainer: Franck Joncourt <[email protected]>
Changed-By: Franck Joncourt <[email protected]>
Description:
psad - Port Scan Attack Detector
Closes: 567897
Changes:
psad (2.1.5-3) unstable; urgency=low
.
* Set /me as main maintainer.
* Switch to dpkg-source 3.0 (quilt) format:
+ Removed useless README.source which only documented quilt usage.
+ Remved BD on quilt.
+ Removed quilt framework from d.rules.
* Bumped up Standards-Version to 3.8.4 (no changes).
* Added Vcs fields in d.control.
* Refreshed long description with patch from Justin B Rye. (Closes: #567897)
* Added patch fixes_spelling.diff to fix spelling errors in the manpages.
* Added dependency against lsb-base (>= 3.0-6) to ensure the
/lib/lsb/init-functions can be sourced through the initscript.
* Refreshed d.watch so that we do not use uupdate anymore, since it is
useless with my workflow.
* Refreshed d.copyright following DEP5 guideline.
* Refreshed d.psad.docs:
+ Removed README.SYSLOG from the docs since psad do not use the fwdata
file anymore.
+ Removed duplicate entry for FW_HELP.
Checksums-Sha1:
0f618a1b1ac41d8200dacac2e1ad981abf51a906 1110 psad_2.1.5-3.dsc
46f4f9178e1852fd3c519c1d9b25da8e638b1250 11591 psad_2.1.5-3.debian.tar.gz
e265c083f720c456dede26d3aecd17be8d421333 181600 psad_2.1.5-3_amd64.deb
Checksums-Sha256:
05dc309097bfd9d0c7b447e37d01ab67eaae22583eb2a1466e0afbff922cec8e 1110
psad_2.1.5-3.dsc
4a1856b329b34010d09447f75aa7ff777b94889d290037f882b2f21e7c46f19b 11591
psad_2.1.5-3.debian.tar.gz
398250eaa851e568efd4e14395e33282e3b246e2c4ffe512cd1ba44d102f56a3 181600
psad_2.1.5-3_amd64.deb
Files:
fd0da238a2c879468687b9c3d81638d6 1110 admin optional psad_2.1.5-3.dsc
445427b0b380af4cb192496c6f8d0ad8 11591 admin optional
psad_2.1.5-3.debian.tar.gz
62769d8cfeae67cd5d372058abc3ffa4 181600 admin optional psad_2.1.5-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkuC9vMACgkQxJBTTnXAif7hVACfZmXCqffdR0YeTEpKba7Y/Pfn
9hkAnjVYIU2dv6WB7CluFFdWlUoFmmh1
=IP+w
-----END PGP SIGNATURE-----
--- End Message ---