IDS mailing list archives

psad-1.2 release

From: Michael Rash <mbr () cipherdyne com>
Date: Thu, 19 Jun 2003 11:04:00 -0400
What is psad?

    The Port Scan Attack Detector (psad) is a collection of four lightweight
    system daemons written in Perl and C that are designed to work with Linux
    firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x
    kernels) to detect port scans. It features a set of highly configurable danger
    thresholds (with sensible defaults provided), verbose alert messages that
    include the source, destination, scanned port range, begin and end times, tcp
    flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting,
    and automatic blocking of offending ip addresses via dynamic configuration
    of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels
    psad incorporates many of the tcp signatures included in Snort to
    detect highly suspect scans for various backdoor programs (e.g. EvilFTP,
    GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port
    scans (syn, fin, Xmas) which are easily leveraged against a machine via
    nmap.  Psad also implements passive operating system fingerprinting
    through the use of packet length, ttl, tos, ip id, and tcp window sizes.

Can I see some sample alerts?

    http://www.cipherdyne.com/psad/sample_alerts/

What has changed since psad-1.1.1?

    -Added passive OS fingerprinting based on packet ttl, length,
     tos, and id fields.
    -Added dshield.org alerting capability.
    -Added exec_external_script() for external script execution.
    -Added auto blocked timeouts.
    -Implemented config re-imports via HUP signals in a manner
     similar to various other system daemons (sysylog, apache
     etc.)
    -Better --Status output that shows packet counts per protocol
     for each ip.
    -Added --ip-status for more verbose status output for a
     particular ip address.
    -Added config preservation code to install.pl.
    -Added Psad::psyslog().
    -Split psad.conf into a separate config file for each of the
     four psad daemons.
    -Completely re-worked the auto blocking code (made dedicated
     files for iptables and ipchains block methods).
    -Added danger level hash.
    -Minor code cleanups (shorter hash keys, etc.).

Where can I download it?

    psad is free and released under the GPL:

    http://www.cipherdyne.com/psad/download/psad-1.2.tar.gz

Is there a CVS repository?

    http://www.cipherdyne.com/cgi/viewcvs.cgi/psad/


--Mike

Michael Rash
http://www.cipherdyne.com
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Current thread:

psad-1.2 release Michael Rash (Jun 19)