Projects / Port Scan Attack Detector

Port Scan Attack Detector

The Port Scan Attack Detector (psad) is a collection of three system daemons that are designed to work with the Linux iptables firewalling code to detect port scans and other suspect traffic. It features a set of highly configurable danger thresholds (with sensible defaults), verbose alert messages, email alerting, DShield reporting, and automatic blocking of offending IP addresses. Psad incorporates many of the packet signatures included in Snort to detect various kinds of suspicious scans, and implements the same passive OS fingerprinting algorithm used by p0f.

Operating Systems

Recent releases

  •  03 Jan 2013 04:46

    Release Notes: This release added support for detection of Topera IPv6 scans, Nmap IP protocol scan detection (nmap -sO), a new test suite, email throttling, and per-danger level auto response timeouts.

    •  21 Apr 2012 17:34

      Release Notes: This release adds detection of IPv6 attacks and malicious traffic by parsing ip6tables logs, validation of ICMP6 type/code combinations, a new comprehensive test suite in the test/ directory, a 15% speedup over previous psad releases, a bugfix for the &LOG_DAEMON() error noticed by a few users, and a bugfix for the "qw() used as parentheses" warning for recent versions of Perl.

      •  21 Feb 2009 20:55

        Release Notes: SELinux policy files were added to make psad compatible with SELinux. The files are located in a new "selinux" directory in the sources. A bug was fixed in which local server ports were not reported correctly under netstat parsing. A bug was fixed in the start() function in the Gentoo init script which caused psad to not be started and the error "* ERROR: psad failed to start" to be generated. A bug that occurred when ENABLE_SYSLOG_FILE is enabled was fixed.

        •  22 Aug 2008 14:14

          Release Notes: This release restructures Perl module paths to make it easy to introduce a "nodeps" distribution of psad that does not contain any Perl modules. This allows better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). The main driver for this work is to make all projects easily integrated with distributions based on Debian. A bugfix has been made to honor the IPT_SYSLOG_FILE variable in --Analyze-msgs mode. A switch has been made from the deprecated bleeding-all.rules file to the new emerging-all.rules available from Emerging Threats.

          •  13 Jun 2008 14:01

            Release Notes: This release enables IPT_SYSLOG_FILE by default. This is a relatively important change, since it changes the default method of acquiring iptables log data from reading it from a named pipe from syslog to just parsing the /var/log/messages file. The whois client has been updated to version 4.7.26, Bit::Vector to 6.4, and Date::Calc to 5.4.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.