Release Notes: SELinux policy files were added to make psad compatible with SELinux. The files are located in a new "selinux" directory in the sources. A bug was fixed in which local server ports were not reported correctly under netstat parsing. A bug was fixed in the start() function in the Gentoo init script which caused psad to not be started and the error "* ERROR: psad failed to start" to be generated. A bug that occurred when ENABLE_SYSLOG_FILE is enabled was fixed.
Release Notes: A --gnuplot mode was added so that psad can output data that is suitable for plotting with gnuplot. The ability to negate match conditions on fields specified with the --CSV-fields argument was added. The Storable-2.16 module was added along with the --use-store-file argument so that in --gnuplot mode the Gnuplot data can be stored on disk and retrieved quickly. --analysis-fields was added so the iptables log messages that are parsed in -A mode can be restricted to those that meet certain criteria.
Release Notes: This release adds support for the Snort keywords ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ipopts, and sameip. It adds suppport for automatically downloading signature updates from the cipherdyne.org website. It has better --Analyze output that includes the top attackers, scanned ports, and signature matches. CSV output has been added so that Netfilter logs can be visualized with the AfterGlow project. There is an auto-response bugfix so that the reponse config is re-initialized after receiving a HUP signal.
Release Notes: ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX were added to allow filtering on logging prefixes. The classification.config file from Snort-2.3.3 was added so that psad can assign danger levels based upon Snort rule class type. snort_rule_dl was added to allow a specific psad to assign specific danger level values to particular signatures. Running fwsnort is also necessary to take advantage of this feature. reference.config was added so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort. The signatures were updated to those from Snort 2.3.3. whois was updated to 4.7.13.
Release Notes: This release adds MAC address reporting in psad email alerts. It adds a --fw-rm-block-ip option to allow IP addresses to be removed from the auto-blocking chains from the command line. It updates command line firewall arguments to write commands to the AUTO_IPT_SOCK domain socket. It adds the ability to specify ports and port ranges to auto_dl file. There is a bugfix in the installer to seek() to the end of the fwdata file instead of reading the entire thing into memory. There is a bugfix for psad repeatedly trying to remove the same IP address(es) from the auto-blocking chains.
Release Notes: Updated to Snort-2.3 rules. An IPTables::ChainMgr module has been added to manage Netfilter auto-blocking rules within custom chains created by psad. An IPT_AUTO_CHAIN keyword has been added to configure the set of chains used by psad. There is a bugfix for distinguishing OPT field associated with --log-tcp-options vs. --log-ip-options. The ability to import an IP into the Netfilter auto-blocking chains from the command line with --fw-block-ip has been added (this allows a running psad process to manage blocking rule timeouts). The dependency on the sendmail command has been removed unless DShield alerting is enabled.
Release Notes: p0f-style passive OS fingerprinting has been added through the use of the OPT field in iptables log messages (which is only logged through the use of the --log-tcp-options command line arg to iptables). There is a bugfix for iptables log messages that include TCP sequence numbers (see the iptables --log-tcp-sequence command line argument). There is a bugfix for the O_RDONLY open flag when kmsgsd receives a HUP signal.
Release Notes: Bidirectional iptables auto-blocking support was added for all chains except for the INPUT and OUTPUT chains. Syslog message support was improved when run in auto-blocking mode. An iptables auto-block rules section was added to --Status output. An init script for Fedora systems was added. The default_log() function was added to IPTables::Parse. This function parses user defined chains in an effort to find default logging rules. A bugfix was made for the init script directory on Slackware systems. The --whois-analysis argument was added, since whois lookups are now disabled by default when running in analysis (-A) mode.
Release Notes: This release removes FW_MSG_SEARCH from psad.conf, creates a new configuration file "fw_search.conf" that both psad and kmsgsd use to get the FW_MSG_SEARCH definition(s), adds a default mode of parsing all iptables messages instead of just those that contain specific search strings, adds the configuration variable "FW_SEARCH_ALL" to fw_search.conf that controls this mode, updates psad and kmsgsd so that multiple firewall search strings can be specified through multiple FW_MSG_SEARCH variables in fw_search.conf, and adds iptables chain and logging-prefix tracking for the current scan interval to email alerts.
Release Notes: Nearly 100 signatures from the snort IDS have been added. Source and destination network processing has been added to the signature matching code. Chain tracking has been added for all signatures. Firewall policy parsing routines have been re-worked. Chains that have a default policy of DROP are handled properly now. There is a buffer overflow bugfix in kmsgsd.c for the size of buf[MAX_LINE_BUF] buffer in read() call. Support for the iptables output chain and support for metalog have been added.