psad 1.4.6

psad is a collection of three lightweight system daemons.
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic.

psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap.

When combined with fwsnort, psad is capable of detecting approximately 50% of all Snort rules, including those that inspect the application portion of IP packets. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. For more information, see the complete list of features offered by psad.

psad is developed with three main principles in mind:

Good network security starts with a properly configured firewall.
A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter's case).
Suspicious traffic should not be detected at the expense of trying to also block such traffic.

What's New in This Release:

Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on
logging prefixes.
Added code to save DShield email to a file.
Added IPTABLES_PREREQ_CHECK to allow the administrator to control the frequency of Netfilter checks (for auto-block compatibility).
Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely
ignored by psad.
Added classification.config file from Snort-2.3.3 so that psad can assign danger levels based upon Snort rule class type. This is useful when also running fwsnort.
Added snort_rule_dl to allow specific psad to assign specific danger level values to particular signatures. This is useful if you want to do define certain Snort rules as being particularly evil (or not).
Running fwsnort is also necessary to take advantage of this feature.
Added reference.config so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort.
Updated to Snort-2.3.3 signatures.

last updated on:
July 13th, 2006, 11:05 GMT
price:
FREE!
developed by:
Michael Rash
license type:
GPL (GNU General Public License) 
category:
ROOT \ System \ Networking

FREE!

In a hurry? Add it to your Download Basket!

user rating

UNRATED
0.0/5
 

0/5

Add your review!

SUBMIT