Release Notes: Integration with fwsnort was improved, so psad signature match syslog messages and email alerts now include the fwsnort rule number (for fwsnort version 0.9.0 and greater) and chain information. The Snort bleeding-all.rules signature file from the Bleeding Snort project was added. uname, ifconfig, and syslog process information were added to --Dump-conf output. The psad.SlackBuild script was added for building psad on Slackware systems. It uses the Cipherdyne cd_rpmbuilder script to first build an RPM, and then uses it to build a Slackware package.
Release Notes: All configuration variables were consolidated into the /etc/psad/psad.conf file. The kmsgsd.conf, psadwatchd.conf, alert.conf, and fw_search.conf files were all removed since the daemons just reference the psad.conf now. A safe_malloc() function was added for kmsgsd.c and psadwatchd.c to ensure that a single API is used to perform a NULL check on heap-allocated memory. A bugfix was made to ensure that the psad_ip_len signature matching keyword is checked withing match_snort_ip_keywords() so that it applies to all protocol packets.
Release Notes: Snort rule matches were added to syslog alerts. Multiple matches can be controlled with new configuration variables in psad.conf: ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and SIG_SID_SYSLOG_THRESHOLD. A bugfix was made to include scanned UDP port ranges in syslog alerts. A bugfix was made to parse SEQ and ACK iptables log message fields. This allows the ipEye signature to work. --debug-sid was added to allow a specific Snort rule to be debugged while psad runs it through its detection engine. A bugfix was made to allow logging prefixes to omit trailing spaces.
Release Notes: This release removes the Psad.pm Perl module and kmsgsd.pl and psadwatchd.pl scripts. In the previous scheme, psad imported its config with a function within Psad.pm, and this required that psad import the Psad Perl module before reading its config. A consequence was that the PSAD_LIBS_DIR var could not be specified usefully within the config file. The ability to recursively resolve embedded variables from *.conf files (with a limit of 20 resolution attempts) has been added. IGNORE_KERNEL_TIMESTAMP has been added so that Linux distributions that add a timestamp to all kernel messages (Ubuntu, for example) can be ignored.
Release Notes: The ability to download the latest signatures from cipherdyne.org in install.pl was added. The cd_rpmbuilder script was added to make it easy to build RPMs out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/. MIN_DANGER_LEVEL was added to allow all alerts and /var/log/psad/IP tracking to be disabled unless an attacker reaches at least this danger level. A bug in which elements of the connected_subnets_cidr array were not properly included was fixed. A bug was fixed so that more than TOP_IP_LOG_THRESHOLD IP addresses are not printed in the top attackers section.
Release Notes: The Nachi worm reconnaissance ICMP signature was added. The psad_ip_len signature keyword was added to allow the length field in the IP header to be explicitly tested. Inappropriate removal of some directories in @INC when splicing in psad Perl module paths was fixed. The nf2csv installation path in install.pl was switched to /usr/bin/.
Release Notes: This release adds support for the Snort keywords ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ipopts, and sameip. It adds suppport for automatically downloading signature updates from the cipherdyne.org website. It has better --Analyze output that includes the top attackers, scanned ports, and signature matches. CSV output has been added so that Netfilter logs can be visualized with the AfterGlow project. There is an auto-response bugfix so that the reponse config is re-initialized after receiving a HUP signal.
Release Notes: This release adds the ability to get the auto-blocking status for a specific IP address in --status-ip mode. There is a bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables. There is a bugfix to restore "start" functionality in the Gentoo init script. The ability to selectively disable psad auto-blocking email messages has been added. A more rigorous IP matching regex has been added.
Release Notes: IPTables::ChainMgr has been completely reworked to support the return of iptables error messages that are collected via stderr. The ability has been added to specify the position for both the jump rule into the psad chains as well as the position for new rules within the psad chains via the -I argument to iptables. The _debug option in the IPTables::ChainMgr module has been populated, and a _verbose option has been added so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called. There is a bugfix for an incorrect config variable name that gated Netfilter prerequisite checks.
Release Notes: ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX were added to allow filtering on logging prefixes. The classification.config file from Snort-2.3.3 was added so that psad can assign danger levels based upon Snort rule class type. snort_rule_dl was added to allow a specific psad to assign specific danger level values to particular signatures. Running fwsnort is also necessary to take advantage of this feature. reference.config was added so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort. The signatures were updated to those from Snort 2.3.3. whois was updated to 4.7.13.