Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Fetching contributors…
Cannot retrieve contributors at this time
92 lines (91 sloc) 4.95 KB
- Automated tests to verify correct behavior for command line
options (and potentially other things such as correctness of
psad alerts).
- Take into account whether a destination port is in /etc/services for
the danger level calculaion. A SYN packet to tcp/22 is worse than
a stray SYN packet to an arbitrary high port (as long as there isn't
a backdoor, etc.). There are (probably) historically more
vulnerabilities in sshd than for some service that isn't even listed
in /etc/services.
- Idle scan detection through seeing combination of SYN/ACK and RST
packets (i.e. the iptables box was used as a zombie host).
- XML logging format.
- HTML output mode, and ability to create IP directories/pages under a
web root directory.
- Add the ability to to restore the "latest" syslog config
backup file (fwknop may have been installed for example) at uninstall
- Infer NMAP scan if OPT does not exist in the iptables log (because
tcp options are missing)?
- Play with SHOW_ALL_SIGNATURES = "Y" since this may not really cause
hugely long email alerts. This trick would be to perhaps associate
a "last seen" timestamp with each old signature.
- MRTG scripts.
- Add a DNS_TIMEOUT config keyword.
- Add a threshold danger level for ENABLE_EXT_SCRIPT_EXEC functionality.
- Ability to remove email block for a specific ip from a running
psad process.
- Summary report emails like dshield does.
- Ability to elevate scan danger level based on specific iptables
- Replace full ascii signature listings in <ip>_signatures with sid
numbers and packet counts.
- Rework IGNORE_CONNTRACK_BUG_PKTS strategy to maximze signature
- More syslog messages from psad, psadwatchd, and kmsgsd.
- Put a "psad signature strategy" link in all alert emails.
- Module tests for
- Extract default behavior into psad.conf.
- Custom logging line upon auto-blocking an ip.
- Add difference notification (via syslog) for changed variables
after receiving a HUP signal.
- Include the ability to specify a network in CIDR notation with
--Status output.
- Drop root privileges if not running in auto-blocking mode.
- Extend to provide an option to dowload the latest perl
modules (Date::Calc, Unix::Syslog, etc.) from CPAN.
- Extend passive OS fingerprinting to make use of more types of
packets than just tcp/syn packets.
- Extend passive OS fingerprinting to include signatures from
Xprobe from
- Add a density calculation for a range of scanned ports, and also
add a "verbose" mode that will display which of the scanned ports
actually resolve to something in the IANA spec.
- Packet grapher mode with annotated scan alerts.
- Mysql database support?
- psad.conf option to disable signature detection; useful if fwsnort is
already deployed for this.
- Include a verbose message in the body of certain emails that as
of psad-1.0.0-pre2 only contain a subject line.
- Deal with the possibility that psad could eat lots of memory over
time if $ENABLE_PERSISTENCE="Y". This should involve periodically
deleting entries in %scan (or maybe the entire hash), but this
should be done in a way that allows some scan data to persist.
- Ipfilter support on *BSD platforms.
- Take into account syslog message summarization; i.e. "last message
repeated n times".
- Possibly add a daemon to take into account ACK PSH, ACK FIN, RST etc.
packets that the client may generate after the ip_conntrack module
is reloaded. Without anticipating such packets psad will interpret
them as a belonging to a port scan. NOTE: This problem is mostly
corrected by the conntrack patch to the kernel. Also, the
IGNORE_CONNTRACK_BUG_PKTS variable was added to mitigate this
- Improve check_firewall_rules() to check for a state rule (iptables)
since having such a rule greatly improves the quality of the data
stream provided to psad by kmsgsd since more packet types will be
denied without requiring overly complicated firewall rules to detect
odd tcp flag combinations.
- perldoc
- Configurable iptables prerequisite checks.
- Handle "pass" action on Snort rules in the signatures file. This will
allow ignore rules to be written in the Snort rules language itself
(this will far more powerful than any of the IGNORE_* keywords).
- Allow auto-response blocking based on either src or dst of a signature
- Include IP options decode information in email alert if a signature
matched against IP options.
- Include input/output interfaces, as well as physin and physout
- IPCop integration.
- Script to turn pcap files into equivalent iptables log messages.
Jump to Line
Something went wrong with that request. Please try again.