psad 3.0

psad is an intrusion detection system built around iptables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For TCP scans psad analyzes TCP flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many TCP, UDP, and ICMP signatures contained within the Snort intrusion detection system (see to detect suspicious network traffic such as probes for common backdoors, DDoS tools, OS fingerprinting attempts, and more.

Tags security intrusion-detection iptables firewalls linux port-scan nmap
License GNU GPL
State initial

Recent Releases

3.029 Oct 2018 03:15 major bugfix: Switch to use the 'pkill' command by default instead of the 'killall' command to stop processes. - Switch to use the 'ss' command by default instead of 'netstat' to detect local servers. - Switch to use the 'ip' command by default instead of 'ifconfig' to get local IP/network information. This is configurable via the 'IFCFGTYPE' variable in psad.conf. - Remove syslog testing code from - Update the whois client to whois-5.3.2.
2.4.625 Jul 2018 03:15 minor feature: Add EMAIL_APPEND_HEADER to allow psad alerts to have custom email headers. Appended to outbound emails. This uses the '-a' command line argument Offered by the 'mail' command. An example usage would be to set the 'From' email header.
2.4.511 Mar 2017 03:15 minor bugfix: to include top signature matches in 'psad --Status' output. This. Was reported by @joshlinx on github as.
2.4.211 Sep 2015 15:45 minor bugfix: to apply the EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking. Emails. Updated IPTables::ChainMgr and IPTables::Parse to 1.4 and 1.5. Respectively.
2.4.113 May 2015 19:45 minor feature: Bug fix to honor the IGNORE_PROTOCOLS configuration variable for non-tcp/udp/icmp protocols. This bug was reported by Paul Versloot. - Added two configuration variables ENABLE_WHOIS_LOOKUPS and ENABLE_DNS_LOOKUPS (set to 'Y' by default) to allow whois and reverse DNS lookups to be controlled from the command line. - Bug fix for an uninitialized variable in 'psad -L' mode when auto blocking is enabled. This bug was reported via github by gihub user 'itoffshore'.
2.4.019 Mar 2015 17:21 major feature: Added support for reading syslog messages from journalctl on systems where syslog data is tied into systemd. Added support for the firewalld firewall that is built into systems like Fedora 21. Added support for handling arbitrary time stamp formats that are supported by some syslog daemons.