Hi all,

psad-2.2.1 has been released:

http://www.cipherdyne.org/psad/download/

Here is the ChangeLog:

- Added IP protocol scan detection (nmap -sO).  A new psad.conf variable
  PROTOCOL_SCAN_THRESHOLD defines the minimum number of different IP
  protocols (default = 5) that must be scanned before an alert is
  triggered.
- Added detection for Topera IPv6 scans when --log-ip-options is used in
  the ip6tables logging rule.  When this option is not used, the previous
  psad-2.2 release detected Topera scans.  An example TCP SYN packet
  generated by Topera when --log-ip-options is used looks like this (note
  the series of empty IP options strings "OPT ( )":

    Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=
    MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
    SRC=2012:1234:1234:0000:0000:0000:0000:0001
    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
    FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )
    OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN
    URGP=0

- Bug fix in --Analyze mode when IP fields are to be searched with the
  --analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
  The bug was reported by Gregorio Narvaez, and looked like this:

  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
  Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
  128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.

- Added --stdin argument to allow psad to collect iptables log data from
  STDIN in --Analyze mode.  This makes it easier to run an iptables logs
  through psad from arbitrary files like so:

  # grep "IN=.*OUT=" /var/log/kern.log | psad -A --stdin

- Added the ability to acquire Snort rule 'msg' fields from fwsnort if
  it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
  to look for the fwsnort rule set.  This fixes a problem reported by Pui
  Edylie to the psad mailing list where fwsnort logged an attack that psad
  could not map back to a descriptive 'msg' field.
- Added the ability to set per-danger level timeouts when psad is
  configured to run in auto-blocking mode.  These timeouts are implemented
  with new AUTO_BLOCK_DL*_TIMEOUT variables - one for each of the five
  possible danger levels that may be assigned to a scanning IP address.
- Added the ability to throttle emails generated by psad via a new
  EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
  is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
  many emails for each scanning IP as it would have normally.

Please let me know if there are any issues.

Thanks,

--Mike

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to