Release Notes: This release restructures Perl module paths to make it easy to introduce a "nodeps" distribution of psad that does not contain any Perl modules. This allows better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). The main driver for this work is to make all cipherdyne.org projects easily integrated with distributions based on Debian. A bugfix has been made to honor the IPT_SYSLOG_FILE variable in --Analyze-msgs mode. A switch has been made from the deprecated bleeding-all.rules file to the new emerging-all.rules available from Emerging Threats.
Release Notes: This release enables IPT_SYSLOG_FILE by default. This is a relatively important change, since it changes the default method of acquiring iptables log data from reading it from a named pipe from syslog to just parsing the /var/log/messages file. The whois client has been updated to version 4.7.26, Bit::Vector to 6.4, and Date::Calc to 5.4.
Release Notes: A new feature whereby iptables log data can be acquired just by parsing an existing file (/var/log/messages by default) that is written to by syslog was added. Better installation support was provided for various Linux distributions, including Fedora 8 and Ubuntu. Situations where either the /var/log/psad/fwdata file or the /var/log/messages file (whichever syslog is writing iptables log messages to) gets rotated are now handled automatically.
Release Notes: Integration with fwsnort was improved, so psad signature match syslog messages and email alerts now include the fwsnort rule number (for fwsnort version 0.9.0 and greater) and chain information. The Snort bleeding-all.rules signature file from the Bleeding Snort project was added. uname, ifconfig, and syslog process information were added to --Dump-conf output. The psad.SlackBuild script was added for building psad on Slackware systems. It uses the Cipherdyne cd_rpmbuilder script to first build an RPM, and then uses it to build a Slackware package.
Release Notes: Snort rule matches were added to syslog alerts. Multiple matches can be controlled with new configuration variables in psad.conf: ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and SIG_SID_SYSLOG_THRESHOLD. A bugfix was made to include scanned UDP port ranges in syslog alerts. A bugfix was made to parse SEQ and ACK iptables log message fields. This allows the ipEye signature to work. --debug-sid was added to allow a specific Snort rule to be debugged while psad runs it through its detection engine. A bugfix was made to allow logging prefixes to omit trailing spaces.
Release Notes: The ability to download the latest signatures from cipherdyne.org in install.pl was added. The cd_rpmbuilder script was added to make it easy to build RPMs out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/. MIN_DANGER_LEVEL was added to allow all alerts and /var/log/psad/IP tracking to be disabled unless an attacker reaches at least this danger level. A bug in which elements of the connected_subnets_cidr array were not properly included was fixed. A bug was fixed so that more than TOP_IP_LOG_THRESHOLD IP addresses are not printed in the top attackers section.
Release Notes: The Nachi worm reconnaissance ICMP signature was added. The psad_ip_len signature keyword was added to allow the length field in the IP header to be explicitly tested. Inappropriate removal of some directories in @INC when splicing in psad Perl module paths was fixed. The nf2csv installation path in install.pl was switched to /usr/bin/.
Release Notes: This release adds the ability to get the auto-blocking status for a specific IP address in --status-ip mode. There is a bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables. There is a bugfix to restore "start" functionality in the Gentoo init script. The ability to selectively disable psad auto-blocking email messages has been added. A more rigorous IP matching regex has been added.
Release Notes: IPTables::ChainMgr has been completely reworked to support the return of iptables error messages that are collected via stderr. The ability has been added to specify the position for both the jump rule into the psad chains as well as the position for new rules within the psad chains via the -I argument to iptables. The _debug option in the IPTables::ChainMgr module has been populated, and a _verbose option has been added so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called. There is a bugfix for an incorrect config variable name that gated Netfilter prerequisite checks.
Release Notes: Bugfix for various IGNORE_* keywords not being honored. Updated to version 0.2 of the IPTables::ChainMgr module. Updated to not truncate the fwdata file upon psad startup. --fw-dump, which produces a sanitized (i.e. no IP addresses) version of the local Netfilter policy, has been added. ulogd data collection mode has been added. There is a bugfix for FW_MSG_SEARCH default (at least "DROP" is included now, even if FW_SEARCH_ALL is set to "N"). Email alert prefixes (such as "[psad-alert]") are customizable via psad.conf.