psad is an intrusion detection system built around iptables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For TCP scans psad analyzes TCP flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many TCP, UDP, and ICMP signatures contained within the Snort intrusion detection system (see http://www.snort.org/) to detect suspicious network traffic such as probes for common backdoors, DDoS tools, OS fingerprinting attempts, and more.
3.029 Oct 2018 03:15
Switch to use the 'pkill' command by default instead of the 'killall'
command to stop processes.
- Switch to use the 'ss' command by default instead of 'netstat' to detect
- Switch to use the 'ip' command by default instead of 'ifconfig' to get
local IP/network information. This is configurable via the 'IFCFGTYPE'
variable in psad.conf.
- Remove syslog testing code from install.pl.
- Update the whois client to whois-5.3.2.
2.4.625 Jul 2018 03:15
Add EMAIL_APPEND_HEADER to allow psad alerts to have custom email headers.
Appended to outbound emails. This uses the '-a' command line argument
Offered by the 'mail' command. An example usage would be to set the
'From' email header.
2.4.511 Mar 2017 03:15
to include top signature matches in 'psad --Status' output. This.
Was reported by @joshlinx on github as.
2.4.211 Sep 2015 15:45
to apply the EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking.
Updated IPTables::ChainMgr and IPTables::Parse to 1.4 and 1.5.
2.4.113 May 2015 19:45
Bug fix to honor the IGNORE_PROTOCOLS configuration variable for
non-tcp/udp/icmp protocols. This bug was reported by Paul Versloot.
- Added two configuration variables ENABLE_WHOIS_LOOKUPS and
ENABLE_DNS_LOOKUPS (set to 'Y' by default) to allow whois and reverse
DNS lookups to be controlled from the command line.
- Bug fix for an uninitialized variable in 'psad -L' mode when auto
blocking is enabled. This bug was reported via github by
gihub user 'itoffshore'.
2.4.019 Mar 2015 17:21
Added support for reading syslog messages from journalctl on systems where syslog data is tied into systemd. Added support for the firewalld firewall that is built into systems like Fedora 21. Added support for handling arbitrary time stamp formats that are supported by some syslog daemons.