Skip to content
100644 92 lines (91 sloc) 4.95 KB
b439280 @mrash added testing feature, whitespace fixes
1 - Automated tests to verify correct behavior for command line
2 options (and potentially other things such as correctness of
3 psad alerts).
d728419 @mrash more TODO stuff
4 - Take into account whether a destination port is in /etc/services for
5 the danger level calculaion. A SYN packet to tcp/22 is worse than
6 a stray SYN packet to an arbitrary high port (as long as there isn't
7 a backdoor, etc.). There are (probably) historically more
8 vulnerabilities in sshd than for some service that isn't even listed
9 in /etc/services.
10 - Idle scan detection through seeing combination of SYN/ACK and RST
11 packets (i.e. the iptables box was used as a zombie host).
efca96c @mrash .
12 - XML logging format.
d728419 @mrash more TODO stuff
13 - HTML output mode, and ability to create IP directories/pages under a
14 web root directory.
efca96c @mrash .
15 - Add the ability to to restore the "latest" syslog config
16 backup file (fwknop may have been installed for example) at uninstall
17 time.
18 - Infer NMAP scan if OPT does not exist in the iptables log (because
19 tcp options are missing)?
bbdee72 @mrash .
20 - Play with SHOW_ALL_SIGNATURES = "Y" since this may not really cause
21 hugely long email alerts. This trick would be to perhaps associate
22 a "last seen" timestamp with each old signature.
23 - MRTG scripts.
24 - Add a DNS_TIMEOUT config keyword.
25 - Add a threshold danger level for ENABLE_EXT_SCRIPT_EXEC functionality.
b439280 @mrash added testing feature, whitespace fixes
26 - Ability to remove email block for a specific ip from a running
27 psad process.
28 - Summary report emails like dshield does.
8dc3deb @mrash added prefix danger level suggestion
29 - Ability to elevate scan danger level based on specific iptables
30 prefixes.
b439280 @mrash added testing feature, whitespace fixes
31 - Replace full ascii signature listings in <ip>_signatures with sid
32 numbers and packet counts.
33 - Rework IGNORE_CONNTRACK_BUG_PKTS strategy to maximze signature
34 detection.
35 - More syslog messages from psad, psadwatchd, and kmsgsd.
36 - Put a "psad signature strategy" link in all alert emails.
37 - Module tests for
38 - Extract default behavior into psad.conf.
39 - Custom logging line upon auto-blocking an ip.
40 - Add difference notification (via syslog) for changed variables
41 after receiving a HUP signal.
42 - Include the ability to specify a network in CIDR notation with
43 --Status output.
44 - Drop root privileges if not running in auto-blocking mode.
45 - Extend to provide an option to dowload the latest perl
80bad5e @mrash removed same source email criteria
46 modules (Date::Calc, Unix::Syslog, etc.) from CPAN.
b439280 @mrash added testing feature, whitespace fixes
47 - Extend passive OS fingerprinting to make use of more types of
48 packets than just tcp/syn packets.
49 - Extend passive OS fingerprinting to include signatures from
50 Xprobe from
51 - Add a density calculation for a range of scanned ports, and also
52 add a "verbose" mode that will display which of the scanned ports
53 actually resolve to something in the IANA spec.
54 - Packet grapher mode with annotated scan alerts.
55 - Mysql database support?
bca926f @mrash more TODO stuff
56 - psad.conf option to disable signature detection; useful if fwsnort is
57 already deployed for this.
b439280 @mrash added testing feature, whitespace fixes
58 - Include a verbose message in the body of certain emails that as
59 of psad-1.0.0-pre2 only contain a subject line.
60 - Deal with the possibility that psad could eat lots of memory over
61 time if $ENABLE_PERSISTENCE="Y". This should involve periodically
62 deleting entries in %scan (or maybe the entire hash), but this
63 should be done in a way that allows some scan data to persist.
64 - Ipfilter support on *BSD platforms.
65 - Take into account syslog message summarization; i.e. "last message
66 repeated n times".
67 - Possibly add a daemon to take into account ACK PSH, ACK FIN, RST etc.
68 packets that the client may generate after the ip_conntrack module
69 is reloaded. Without anticipating such packets psad will interpret
70 them as a belonging to a port scan. NOTE: This problem is mostly
71 corrected by the conntrack patch to the kernel. Also, the
72 IGNORE_CONNTRACK_BUG_PKTS variable was added to mitigate this
73 problem.
74 - Improve check_firewall_rules() to check for a state rule (iptables)
75 since having such a rule greatly improves the quality of the data
76 stream provided to psad by kmsgsd since more packet types will be
77 denied without requiring overly complicated firewall rules to detect
78 odd tcp flag combinations.
79 - perldoc
b13f6ba @mrash Minor update Netfilter -> iptables wording
80 - Configurable iptables prerequisite checks.
9c953fc @mrash TODO enhancements
81 - Handle "pass" action on Snort rules in the signatures file. This will
82 allow ignore rules to be written in the Snort rules language itself
83 (this will far more powerful than any of the IGNORE_* keywords).
84 - Allow auto-response blocking based on either src or dst of a signature
85 match.
ad7690e @mrash more TODO stuff
86 - Include IP options decode information in email alert if a signature
87 matched against IP options.
88 - Include input/output interfaces, as well as physin and physout
89 interfaces.
1c313a5 @mrash Added IPCop integration
90 - IPCop integration.
b13f6ba @mrash Minor update Netfilter -> iptables wording
91 - Script to turn pcap files into equivalent iptables log messages.
Something went wrong with that request. Please try again.