Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

replaced TODO with todo.org org mode file

  • Loading branch information...
commit f20a57a6a37963ea1b27931d297f0791fbca544f 1 parent eab733f
Michael Rash authored

Showing 2 changed files with 85 additions and 91 deletions. Show diff stats Hide diff stats

  1. +0 91 TODO
  2. +85 0 todo.org
91 TODO
... ... @@ -1,91 +0,0 @@
1   - - Automated tests to verify correct behavior for command line
2   - options (and potentially other things such as correctness of
3   - psad alerts).
4   - - Take into account whether a destination port is in /etc/services for
5   - the danger level calculaion. A SYN packet to tcp/22 is worse than
6   - a stray SYN packet to an arbitrary high port (as long as there isn't
7   - a backdoor, etc.). There are (probably) historically more
8   - vulnerabilities in sshd than for some service that isn't even listed
9   - in /etc/services.
10   - - Idle scan detection through seeing combination of SYN/ACK and RST
11   - packets (i.e. the iptables box was used as a zombie host).
12   - - XML logging format.
13   - - HTML output mode, and ability to create IP directories/pages under a
14   - web root directory.
15   - - Add the ability to install.pl to restore the "latest" syslog config
16   - backup file (fwknop may have been installed for example) at uninstall
17   - time.
18   - - Infer NMAP scan if OPT does not exist in the iptables log (because
19   - tcp options are missing)?
20   - - Play with SHOW_ALL_SIGNATURES = "Y" since this may not really cause
21   - hugely long email alerts. This trick would be to perhaps associate
22   - a "last seen" timestamp with each old signature.
23   - - MRTG scripts.
24   - - Add a DNS_TIMEOUT config keyword.
25   - - Add a threshold danger level for ENABLE_EXT_SCRIPT_EXEC functionality.
26   - - Ability to remove email block for a specific ip from a running
27   - psad process.
28   - - Summary report emails like dshield does.
29   - - Ability to elevate scan danger level based on specific iptables
30   - prefixes.
31   - - Replace full ascii signature listings in <ip>_signatures with sid
32   - numbers and packet counts.
33   - - Rework IGNORE_CONNTRACK_BUG_PKTS strategy to maximze signature
34   - detection.
35   - - More syslog messages from psad, psadwatchd, and kmsgsd.
36   - - Put a "psad signature strategy" link in all alert emails.
37   - - Module tests for Psad.pm
38   - - Extract default behavior into psad.conf.
39   - - Custom logging line upon auto-blocking an ip.
40   - - Add difference notification (via syslog) for changed variables
41   - after receiving a HUP signal.
42   - - Include the ability to specify a network in CIDR notation with
43   - --Status output.
44   - - Drop root privileges if not running in auto-blocking mode.
45   - - Extend install.pl to provide an option to dowload the latest perl
46   - modules (Date::Calc, Unix::Syslog, etc.) from CPAN.
47   - - Extend passive OS fingerprinting to make use of more types of
48   - packets than just tcp/syn packets.
49   - - Extend passive OS fingerprinting to include signatures from
50   - Xprobe from http://www.sys-security.com.
51   - - Add a density calculation for a range of scanned ports, and also
52   - add a "verbose" mode that will display which of the scanned ports
53   - actually resolve to something in the IANA spec.
54   - - Packet grapher mode with annotated scan alerts.
55   - - Mysql database support?
56   - - psad.conf option to disable signature detection; useful if fwsnort is
57   - already deployed for this.
58   - - Include a verbose message in the body of certain emails that as
59   - of psad-1.0.0-pre2 only contain a subject line.
60   - - Deal with the possibility that psad could eat lots of memory over
61   - time if $ENABLE_PERSISTENCE="Y". This should involve periodically
62   - deleting entries in %scan (or maybe the entire hash), but this
63   - should be done in a way that allows some scan data to persist.
64   - - Ipfilter support on *BSD platforms.
65   - - Take into account syslog message summarization; i.e. "last message
66   - repeated n times".
67   - - Possibly add a daemon to take into account ACK PSH, ACK FIN, RST etc.
68   - packets that the client may generate after the ip_conntrack module
69   - is reloaded. Without anticipating such packets psad will interpret
70   - them as a belonging to a port scan. NOTE: This problem is mostly
71   - corrected by the conntrack patch to the kernel. Also, the
72   - IGNORE_CONNTRACK_BUG_PKTS variable was added to mitigate this
73   - problem.
74   - - Improve check_firewall_rules() to check for a state rule (iptables)
75   - since having such a rule greatly improves the quality of the data
76   - stream provided to psad by kmsgsd since more packet types will be
77   - denied without requiring overly complicated firewall rules to detect
78   - odd tcp flag combinations.
79   - - perldoc
80   - - Configurable iptables prerequisite checks.
81   - - Handle "pass" action on Snort rules in the signatures file. This will
82   - allow ignore rules to be written in the Snort rules language itself
83   - (this will far more powerful than any of the IGNORE_* keywords).
84   - - Allow auto-response blocking based on either src or dst of a signature
85   - match.
86   - - Include IP options decode information in email alert if a signature
87   - matched against IP options.
88   - - Include input/output interfaces, as well as physin and physout
89   - interfaces.
90   - - IPCop integration.
91   - - Script to turn pcap files into equivalent iptables log messages.
85 todo.org
Source Rendered
... ... @@ -0,0 +1,85 @@
  1 +* COMPLETE
  2 + This bucket is for completed tasks.
  3 +* TODO
  4 +** Nmap protocol scan detection
  5 + :<2012-12-01 Sat>
  6 +** Automated tests to verify correct behavior for command line
  7 + options (and potentially other things such as correctness of
  8 + psad alerts).
  9 +** Take into account whether a destination port is in /etc/services for
  10 + the danger level calculaion. A SYN packet to tcp/22 is worse than
  11 + a stray SYN packet to an arbitrary high port (as long as there isn't
  12 + a backdoor, etc.). There are (probably) historically more
  13 + vulnerabilities in sshd than for some service that isn't even listed
  14 + in /etc/services.
  15 +** Idle scan detection through seeing combination of SYN/ACK and RST
  16 + packets (i.e. the iptables box was used as a zombie host).
  17 +** XML logging format.
  18 +- HTML output mode, and ability to create IP directories/pages under a
  19 + web root directory.
  20 +- Add the ability to install.pl to restore the "latest" syslog config
  21 + backup file (fwknop may have been installed for example) at uninstall
  22 + time.
  23 +** Infer NMAP scan if OPT does not exist in the iptables log (because tcp options are missing)?
  24 +- Play with SHOW_ALL_SIGNATURES = "Y" since this may not really cause
  25 + hugely long email alerts. This trick would be to perhaps associate
  26 + a "last seen" timestamp with each old signature.
  27 +** MRTG scripts.
  28 + :<2012-12-01 Sat>
  29 +** Add a DNS_TIMEOUT config keyword.
  30 + :<2012-12-01 Sat>
  31 +** Add a threshold danger level for ENABLE_EXT_SCRIPT_EXEC functionality.
  32 +** Ability to remove email block for a specific ip from a running psad process.
  33 +** Summary report emails like dshield does.
  34 +** Ability to elevate scan danger level based on specific iptables prefixes.
  35 +** Replace full ascii signature listings in <ip>_signatures with sid numbers and packet counts.
  36 +** Rework IGNORE_CONNTRACK_BUG_PKTS strategy to maximze signature detection.
  37 +** More syslog messages from psad, psadwatchd, and kmsgsd.
  38 +** Put a "psad signature strategy" link in all alert emails.
  39 +** Extract default behavior into psad.conf.
  40 +** Custom logging line upon auto-blocking an ip.
  41 +** Add difference notification (via syslog) for changed variables after receiving a HUP signal.
  42 +** Include the ability to specify a network in CIDR notation with --Status output.
  43 +** Drop root privileges if not running in auto-blocking mode.
  44 +** Extend install.pl to provide an option to dowload the latest perl modules (Date::Calc, Unix::Syslog, etc.) from CPAN.
  45 +** Extend passive OS fingerprinting to make use of more types of packets than just tcp/syn packets.
  46 +** Extend passive OS fingerprinting to include signatures from Xprobe from http://www.sys-security.com.
  47 +- Add a density calculation for a range of scanned ports, and also
  48 + add a "verbose" mode that will display which of the scanned ports
  49 + actually resolve to something in the IANA spec.
  50 +** Packet grapher mode with annotated scan alerts.
  51 +** Mysql database support?
  52 +** psad.conf option to disable signature detection; useful if fwsnort is already deployed for this.
  53 +** Include a verbose message in the body of certain emails that as of psad-1.0.0-pre2 only contain a subject line.
  54 +- Deal with the possibility that psad could eat lots of memory over
  55 + time if $ENABLE_PERSISTENCE="Y". This should involve periodically
  56 + deleting entries in %scan (or maybe the entire hash), but this
  57 + should be done in a way that allows some scan data to persist.
  58 +** ipfw/pf/ipfilter support on *BSD platforms.
  59 +** Take into account syslog message summarization; i.e. "last message repeated n times".
  60 +- Possibly add a daemon to take into account ACK PSH, ACK FIN, RST etc.
  61 + packets that the client may generate after the ip_conntrack module
  62 + is reloaded. Without anticipating such packets psad will interpret
  63 + them as a belonging to a port scan. NOTE: This problem is mostly
  64 + corrected by the conntrack patch to the kernel. Also, the
  65 + IGNORE_CONNTRACK_BUG_PKTS variable was added to mitigate this
  66 + problem.
  67 +- Improve check_firewall_rules() to check for a state rule (iptables)
  68 + since having such a rule greatly improves the quality of the data
  69 + stream provided to psad by kmsgsd since more packet types will be
  70 + denied without requiring overly complicated firewall rules to detect
  71 + odd tcp flag combinations.
  72 +** Configurable iptables prerequisite checks.
  73 +- Handle "pass" action on Snort rules in the signatures file. This will
  74 + allow ignore rules to be written in the Snort rules language itself
  75 + (this will far more powerful than any of the IGNORE_* keywords).
  76 +** Allow auto-response blocking based on either src or dst of a signature match.
  77 + :<2012-11-21 Wed>
  78 +** Include IP options decode information in email alert if a signature matched against IP options.
  79 + :<2012-11-21 Wed>
  80 +** Include input/output interfaces, as well as physin and physout interfaces.
  81 + :<2012-11-21 Wed>
  82 +** IPCop integration.
  83 + :<2012-11-21 Wed>
  84 +** Script to turn pcap files into equivalent iptables log messages.
  85 + :<2012-11-21 Wed>

0 comments on commit f20a57a

Please sign in to comment.
Something went wrong with that request. Please try again.