Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Mar 23, 2012
  1. validate ICMP6 type+code fields

Commits on Mar 14, 2012
  1. minor comment typo fixes

Commits on Mar 13, 2012
  1. Added the ability to install at custom location

    This commit adds the ability to install psad at a custom location via the
    --install-root <root> command line argument to  This feature
    was suggested by @pyllyukko.  In addition, psad can be installed by a
    normal user instead requiring root.
Commits on Dec 23, 2011
Commits on Dec 10, 2011

    Thic commit allows psad memory usage to be constrained by restricting the
    number of unique IP pairs that psad tracks via a new config variable
    MAX_SCAN_IP_PAIRS.  This is useful for when psad is deployed on systems with
    little memory, and is best utilized in conjunction with disabling
    ENABLE_PERSISTENCE so that old scans will also be deleted (and thereby making
    room for tracking new scans under the MAX_SCAN_IP_PAIRS threshold).
  2. reworked how old scans are deleted, and added a new PERSISTENCE_CTR_T…

    …HRESHOLD variable to control this
Commits on Jul 26, 2011
  1. Added the ENABLE_IPV6_DETECTION variable

    The ENABLE_IPV6_DETECTION variable controls whether psad will parse or ignore
    IPv6 iptables log messages.  This is enabled by default.
  2. Minor wording update for syslog messages parsing

    Minor documentation update to better describe the default parsing behavior of
    psad (non-usage of the psadfifo and kmsgsd by default).
  3. Minor update Netfilter -> iptables wording

    It is more proper to refer to iptables in the context of psad operations, so
    changed all "Netfilter" references to "iptables".
Commits on Jun 17, 2011
  1. Removed "$Id$" tags (meaningless for git)

    All "$Id$" expansion tags were removed since they were a hold-over from the
    svn days.  This also meant that the "file revision: <N>" output for "psad -V"
    was removed too.
Commits on Jul 14, 2010
  1. - Updated psad to issues whois lookups against IP addresses that are not

    directly connected to the local system.  This is useful for example when
    an internal system is scanning an external destination system, and the
    scan is logged in the FORWARD chain.  Issuing whois lookups on the
    internal system (frequently on RFC 1918 address space) is not usually
    very useful, but issuing the whois lookup against the destination system
    gives much more interesting data.  This feature can be disabled with the
    new ENABLE_WHOIS_FORCE_SRC_IP variable.
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2297 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  2. - Added ENABLE_WHOIS_FORCE_ASCII to replace any non-ascii characters in

    whois data (which is common with whois lookups against Chinese IP
    addresses for example) with the string "NA".  This option is disabled by
    default, but can be useful if errors like the following are seen upon
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2296 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Jul 12, 2010
  1. (Dan A. Dickey) Added the ability to use the "ip" command from the

    iproute2 tools to acquire IP addresses from local interfaces.  Dan's
    description is as follows: "...A main reason for doing this is in the
    case of multi-homed hosts. ifconfig sets these up on an interface using
    aliases, iproute2 does not.  So, for a multi-homed interface (eth0 with
    multiple addresses), ifconfig -a only shows the first one configured and
    not the rest.  ip addr shows all of the configured addresses...".
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2293 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Oct 26, 2008
  1. minor comment update to psad.conf

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2247 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Jun 7, 2008
  1. made ENABLE_SYSLOG_FILE and IPT_WRITE_FWDATA enabled by default

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2179 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Jan 25, 2008
  1. - Added a new feature whereby psad can acquire iptables log data just by

    parsing an existing file (/var/log/messages by default) that is written
    to by syslog.  By default, psad acquires iptables log data from the
    /var/log/psad/fwdata file which is written to by kmsgsd, but on some
    systems, having syslog communicate log data to kmsgsd can be problematic
    since syslog configs and external factors such as Apparmor and SELinux
    can play a role here.  This new feature is controled by two new
    configuration variables "ENABLE_SYSLOG_FILE" (to enable/disable the
    feature) and "IPT_SYSLOG_FILE" to specifiy the path to the file to
    - Better installation support for various Linux distributions including
    Fedora 8 and Ubuntu.  The current runlevel is now acquired via the
    "runlevel" command instead of attempting to read /etc/inittab (which
    does not even exist on Ubuntu 7.10), and there are new command line
    arguments --init-dir, --init-name, and --runlevel to allow the init
    directory, init script name, and the runlevel to be manually specified
    on the command line.
    - Updated psad to automatically handle situations where the either the
    /var/log/psad/fwdata file or the /var/log/messages file (whichever
    syslog is writing iptables log messages to) gets rotated.  The
    filehandle is closed and reopened if the file shrinks or if the inode
    changes.  This strategy is borrowed from how the fwknop project deals
    with the filesystem packet capture file.
    - Updated to set the LC_ALL environmental variable to "C"
    This should address some issues with installing psad on non-English
    locale systems.
    - Updated to be compatible with the rsyslog daemon, which is
    commonly installed on Fedora 8 systems.
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2136 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Oct 20, 2007
  1. - Changed EMAIL_LIMIT model to apply to scanning source addresses only

      instead of also factoring in the destination address. The original
      src/dst email limit behavior can be restored by setting a new variable
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2121 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Jun 29, 2007
  1. added validation for the SYSLOG_FACILITY and SYSLOG_PRIORITY vars

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2077 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  2. Added the ability to configure the syslog facility and priority via the

    psad.conf file (see the SYSLOG_FACILITY and SYSLOG_PRIORITY variables).
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2074 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on May 26, 2007
  1. minor wording change

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2058 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Mar 31, 2007
  1. updated to the ESTAB string that recent fwsnort versions (> 0.9.0) pr…

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2027 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Mar 3, 2007
  1. merged r1985:1997 from psad-2.0.5 branch

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1998 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Feb 14, 2007
  1. major consolidation so that there is only one config file, psad.conf.…

    … Other daemon config files such as kmsgsd.conf and psadwatch.d have been removed and any relevant variables placed within psad.conf
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1960 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Jan 3, 2007

    …SLOG_THRESHOLD vars to control syslog reporting of sid matches
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1919 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 28, 2006
  1. Added IGNORE_KERNEL_TIMESTAMP so that the timestamp automatically add…

    …ed to kernel syslog messages by some Linux distros can be ignored (this is common on Ubuntu systems)
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1902 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 27, 2006
  1. bugfix to use the PSAD_ERR_DIR var for the fwerrorlog path

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1900 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 23, 2006

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1882 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 21, 2006
  1. minor re-ordering

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1867 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  2. minor variable naming fixes

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1864 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 6, 2006

    …RESHOLD to allow -A output to include differnet numbers of top ports, attackers, and signatures, added ANALYSIS_OUTPUT_FILE so that -A output is kept separate from -S output
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1767 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 4, 2006

    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1762 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  2. added STATUS_OUTPUT_FILE so that --Status and --Analyze output is cap…

    …tured for reference
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1755 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  3. Added TOP_STATUS_THRESHOLD so that the top sigs and ports sections ca…

    …n be limited
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1748 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Commits on Dec 2, 2006
  1. added top_sigs and top_ports in the /var/log/psad/ directory so that …

    …the top scanned ports and signature matches can be easily extracted via psad -S
    git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1741 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
Something went wrong with that request. Please try again.