Skip to content


Subversion checkout URL

You can clone with
Download ZIP
psad: Intrusion Detection and Log Analysis with iptables
Perl C Groff Shell Makefile
Failed to load latest commit information.
deps updated to IPTables::Parse 1.4
init-scripts moved psad upstart config to psad.conf (meant to be copied to /etc/in…
packaging bumped version to 2.4.1
patches updated iptables trailing space link
selinux (Miroslav Grepl) Contributed policy file to make psad compatible with…
test added config vars to enable/disable whois and reverse DNS lookups
BENCHMARK finished removing ipchains stuff
CREDITS Bug fix to apply EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking …
ChangeLog Fixed typo
ChangeLog.git changes since 2.4.0
FW_EXAMPLE_RULES documentation updates
FW_HELP added FW_HELP file
INSTALL added PERL5LIB env variable so module installs can reference the curr…
LICENSE updated to supply all email addresses in a single string to the mail …
Makefile Removed "$Id$" tags (meaningless for git)
README minor copyright update
README.RPM added usage info
README.SYSLOG Minor wording update for syslog messages parsing
SCAN_LOG Minor update Netfilter -> iptables wording
VERSION bumped version to 2.4.1
auto_dl minor auto_dl spacing update Removed "$Id$" tags (meaningless for git) Changed all '_aref' instances to '_ar'
config_vars.conf minor update to deleted old config file references Removed "$Id$" tags (meaningless for git)
fwcheck_psad.8 applied man page spelling fix from Franck restore test suite success for --fw-analyze cycle
icmp6_types validate ICMP6 type+code fields
icmp_types validate ICMP6 type+code fields
install.answers.example Added install.answers.example file to illustrate answers t… minor copyright update
ip_options Removed "$Id$" tags (meaningless for git)
kmsgsd.8 applied man page spelling fix from Franck
kmsgsd.c INSTALL_ROOT resolution bug fix (found by Kat)
logrotate.psad added logrotate.psad file from Albert Whale
nf2csv bumped version to 2.4.1
nf2csv.1 dash fixes from Franck Removed "$Id$" tags (meaningless for git)
pf.os Updated to the latest p0f signatures from OpenBSD
posf Removed "$Id$" tags (meaningless for git)
protocols added 'protocols' file in support of IP protocol scan detection (nmap…
psad Bug fix to apply EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking …
psad.8 minor --stdin usage text addition
psad.conf added config vars to enable/disable whois and reverse DNS lookups
psad.h fix psad version in psad.h
psad_funcs.c minor bug fix in psadwatchd to not have duplicate '/' in directory path
psadwatchd.8 applied man page spelling fix from Franck
psadwatchd.c remove any trailing newline char for pid value
pscan Removed "$Id$" tags (meaningless for git)
signatures minor signature msg field typo fix Minor update Netfilter -> iptables wording
snort_rule_dl Removed "$Id$" tags (meaningless for git)
strlcat.c added strlcat.c from OpenBSD
strlcpy.c added strlcpy.c from OpenBSD completed IP protocol scan detection task


psad (Port Scan Attack Detector)
Version:  2.2.6
Author:   Michael Rash (

Thanks to: (see the CREDITS file).


    The Port Scan Attack Detector (psad) is a collection of two lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic.  It
features a set of highly configurable danger thresholds (with sensible
defaults provided), verbose alert messages that include the source,
destination, scanned port range, begin and end times, tcp flags and
corresponding nmap options, reverse DNS info, email and syslog alerting,
automatic blocking of offending ip addresses via dynamic configuration of
iptables rulesets, passive operating system fingerprinting, and DSheild
reporting.  In addition, psad incorporates many of the tcp, udp, and icmp
signatures included in the snort intrusion detection system
( to detect highly suspect scans for various backdoor
programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft),
and advanced port scans (syn, fin, xmas) which are easily leveraged against a
machine via nmap.  psad can also alert on snort signatures that are logged
via fwsnort, which makes use of the iptables string match module to detect
application layer signatures.


    Information on config keywords referenced by psad may be found both in the
psad(8) man page, and also here:


    All information psad analyzes is gathered from iptables log messages.
psad by default reads the /var/log/messages file for new iptables messages and
optionally writes them out to a dedicated file (/var/log/psad/fwdata).
psad is then responsible for applying the danger threshold and signature logic
in order to determine whether or not a port scan has taken place, send
appropriate alert emails, and (optionally) block offending ip addresses.  psad
includes a signal handler such that if a USR1 signal is received, psad will
dump the contents of the current scan hash data structure to
/var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad

    NOTE:  Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
in the iptables ruleset.  Usually the best way setup the firewall is with
default "drop and log" rules at the end of the ruleset, and include rules
above this last rule that only allow traffic that should be allowed through.
Upon execution, the psad daemon will attempt to ascertain whether or not such
a default deny rule exists, and will warn the administrator if it doesn't.
See the FW_EXAMPLE_RULES file for example firewall rulesets that are
compatible with psad.

Additionally, extensive coverage of psad is included in the book "Linux
Firewalls: Attack Detection and Response" published by No Starch Press, and a
supporting script in this book is compatible with psad.  This script can be
found here:


    See the INSTALL file in the psad sources directory.


    See the FW_HELP file in the psad sources directory.  Also, read the


    psad has been tested on RedHat 6.2 - 9.0, Fedora Core 1 and 2, and
Gentoo Linux systems running various kernels.  The only program that
specifically depends on the RedHat architecture is psad-init, which depends
on /etc/rc.d/init.d/functions.  For non-RedHat systems a more generic init
script is included called "psad-init.generic".  The psad init scripts are
mostly included as a nicety; psad can be run from the command line like any
other program.


Copyright (C) 1999-2015 Michael Rash (

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

psad makes use of many of the tcp, udp, and icmp signatures available in
Snort (written by Marty Roesch, see  Snort is a
registered trademark of Sourcefire, Inc.
Something went wrong with that request. Please try again.