Added the ability to throttle emails generated by psad via a new EMAIL_THROTTLE variable which is implemented as a per-IP threshold. That is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as many emails for each scanning IP as it would have normally. This feature was suggested by Naji Mouawad.
…g in -A mode
…nality in psad
Added detection for Topera IPv6 scans when --log-ip-options is used in the ip6tables logging rule. When this option is not used, the previous psad-2.2 release detected Topera scans. An example TCP SYN packet generated by Topera when --log-ip-options is used looks like this (note the series of empty IP options strings "OPT ( )": Dec 20 20:10:40 rohan kernel: [ 488.495776] DROP IN=eth0 OUT= MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd SRC=20121234:0000:0000:0000:0000:0001 DST=20121234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64 FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN URGP=0
Added the ability to acquire Snort rule 'msg' fields from fwsnort if it's also installed. A new variable FWSNORT_RULES_DIR tells psad where to look for the fwsnort rule set. This fixes a problem reported by Pui Edylie to the psad mailing list where fwsnort logged an attack that psad could not map back to a descriptive 'msg' field.
… (used in -sO protocol scan detection)
Bug fix in --Analyze mode when IP fields are to be searched with the --analysis-fields argument (such as --analysis-fields "SRC:126.96.36.199"). The bug was reported by Gregorio Narvaez, and looked like this: Use of uninitialized value $_ in length at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126. Use of uninitialized value $_ in length at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126. Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be 128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into ../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122. Added --stdin argument to allow psad to collect iptables log data from STDIN in --Analyze mode.
…o be consumed by --Use-answers