psad-2.1.7 has been released:

Here is the ChangeLog (the most interesting feature is the better targeting
of whois lookups):

    - (Dan A. Dickey) Added the ability to use the "ip" command from the
      iproute2 tools to acquire IP addresses from local interfaces.  Dan's
      description is as follows: "...A main reason for doing this is in the
      case of multi-homed hosts. ifconfig sets these up on an interface using
      aliases, iproute2 does not.  So, for a multi-homed interface (eth0 with
      multiple addresses), ifconfig -a only shows the first one configured and
      not the rest.  ip addr shows all of the configured addresses...".
    - Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in
      whois data (which is common with whois lookups against Chinese IP
      addresses for example) with the string "NA".  This option is disabled by
      default, but can be useful if errors like the following are seen upon
      receiving an email alert from psad:

        <<< 554 5.6.1 Eight bit data not allowed
        554 5.0.0 Service unavailable

    - Updated psad to issue whois lookups against IP addresses that are not
      directly connected to the local system.  This is useful for example when
      an internal system is scanning an external destination system, and the
      scan is logged in the FORWARD chain.  Issuing whois lookups on the
      internal system (frequently on RFC 1918 address space) is not usually
      very useful, but issuing the whois lookup against the destination system
      gives much more interesting data.  This feature can be disabled with the
      new ENABLE_WHOIS_FORCE_SRC_IP variable.

Michael Rash | Founder
Key fingerprint: E2EF 0C8A 5AA9 654C 4763  B50F 37AC E946 7F51 8271

This email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit --
psad-discuss mailing list

Reply via email to