Software Release - psad-2.2.1
02 January, 2013
The 2.2.1 release of psad is available for download. This release adds new support for detecting a type of scan that psad has been previously blind to - IP protocol scanning (nmap -sO). Also in this release is the ability to detect Topera IPv6 scans and differentiate them from Nmap IPv6 scans. Other important changes include a new test suite, email throttling, and auto blocking timeouts that can be set for each danger level. Here is the complete ChangeLog:- Added IP protocol scan detection (nmap -sO). A new psad.conf variable PROTOCOL_SCAN_THRESHOLD defines the minimum number of different IP protocols (default = 5) that must be scanned before an alert is triggered.
- Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule. When this option is not used, the previous
psad-2.2 release detected Topera scans. An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note
the series of empty IP options strings "OPT ( )":
Dec 20 20:10:40 rohan kernel: [ 488.495776] DROP IN=eth0 OUT= MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd SRC=2012:1234:1234:0000:0000:0000:0000:0001 DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64 FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN URGP=0
- Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
The bug was reported by Gregorio Narvaez, and looked like this:
Use of uninitialized value $_[0] in length at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126. Use of uninitialized value $_[0] in length at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126. Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be 128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.
- Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode. This makes it easier to run an iptables logs
through psad from arbitrary files like so:
# grep "IN=.*OUT=" /var/log/kern.log | psad -A --stdin
- Added the ability to acquire Snort rule 'msg' fields from fwsnort if it's also installed. A new variable FWSNORT_RULES_DIR tells psad where to look for the fwsnort rule set. This fixes a problem reported by Pui Edylie to the psad mailing list where fwsnort logged an attack that psad could not map back to a descriptive 'msg' field.
- Added the ability to set per-danger level timeouts when psad is configured to run in auto-blocking mode. These timeouts are implemented with new AUTO_BLOCK_DL*_TIMEOUT variables - one for each of the five possible danger levels that may be assigned to a scanning IP address.
- Added the ability to throttle emails generated by psad via a new EMAIL_THROTTLE variable which is implemented as a per-IP threshold. That is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as many emails for each scanning IP as it would have normally.