Skip to content


Subversion checkout URL

You can clone with
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: mrash/psad
base: psad-2.2
head fork: mrash/psad
compare: master
Checking mergeability… Don't worry, you can still create the pull request.
Commits on May 27, 2012
@mrash removed legacy psadwatchd.conf file references 8dedbca
Commits on Jun 12, 2012
@mrash INSTALL_ROOT resolution bug fix (found by Kat) e5ada77
@mrash minor comment wording update w.r.t. SYSLOG_DAEMON usage 99ac4ab
@mrash bumped version to psad-2.3-pre1 30120fb
Commits on Nov 21, 2012
@mrash Bug fix for NetAddr::IP usage in --analysis-fields IP search mode
Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:").
The bug was reported by Gregorio Narvaez, and looked like this:

  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 126.
  Use of uninitialized value $_[0] in length at
  ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 126.
  Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
  128 at ../../blib/lib/NetAddr/IP/ (autosplit into
  ../../blib/lib/auto/NetAddr/IP/UtilPP/ line 122.

Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode.
@mrash added Gregorio Narvaez a3d8daa
Commits on Nov 23, 2012
@mrash applied hyphen fix from Franck Joncourt f2c44bb
@mrash another hyphen fix eab733f
Commits on Dec 01, 2012
@mrash replaced TODO with org mode file f20a57a
Commits on Dec 08, 2012
@mrash added 'protocols' file in support of IP protocol scan detection (nmap…
… -sO)
@mrash first cut at IP protocol scan detection (nmap -sO) 91dfe52
@mrash removed ununsed is_digit() function 9fd7ce6
@mrash added IP protocol scan test 4e05985
Commits on Dec 10, 2012
@mrash minor bug fix for uninitialized variable usage in ICMP6 invalid type/…
…code detection
@mrash remove 'multiproto' hash key in favor of new 'tot_protocols' hash key…
… (used in -sO protocol scan detection)
@mrash added 'Other' protocols to per-IP 'Global stats' output for protocol …
Commits on Dec 15, 2012
@mrash [test suite] added --analysis-write-data to psad test command line 8018338
Commits on Dec 16, 2012
@mrash additional regex's to look for perl warnings 6383941
@mrash added IP protocol scan output to psad emails 19bee21
@mrash completed IP protocol scan detection task 9659621
@mrash added nmap scan style details to syslog output 361281e
Commits on Dec 18, 2012
@mrash Parse fwsnort rules for 'msg' fields
Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed.  A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set.  This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.
Commits on Dec 21, 2012
@mrash Detect Topera IPv6 scans when IP options are logged
Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule.  When this option is not used, the previous                                                                                                                        psad-2.2 release detected Topera scans.  An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note                                                                                                                        the series of empty IP options strings "OPT ( )":

    Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=                                                                                                                                 MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
    SRC=2012:1234:1234:0000:0000:0000:0000:0001                                                                                                                                                    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
    FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )                                                                                                                              OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN
Commits on Dec 23, 2012
@mrash Added --enable-auto-block-tests for testing the auto-blocking functio…
…nality in psad
@mrash added --analysis-auto-block mode to allow auto-responses to be testin…
…g in -A mode
Commits on Jan 02, 2013
@mrash Configurable auto-blocking timeout values.
Oscar Marley suggested configurable auto-blocking timeout values depending on
the danger level that a scan or attack achieves.  This resulted in the
implementation of the AUTO_BLOCK_DL*_TIMEOUT variables.
@mrash Added EMAIL_THROTTLE for email throttling
Added the ability to throttle emails generated by psad via a new
EMAIL_THROTTLE variable which is implemented as a per-IP threshold.  That
is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
many emails for each scanning IP as it would have normally.  This feature
was suggested by Naji Mouawad.
@mrash bumped version to 2.2.1 da758cc
Commits on Jan 03, 2013
@mrash minor date update for psad-2.2.1 release 98debf7
@mrash changes since psad-2.2 0c59ffd
@mrash added auto_min_dl5_blocking.conf file e7d4d47
@mrash changes since psad-2.2 7c4a910
Commits on Jan 25, 2013
@mrash psad RPM bug fix to include the protocols file
Nicholas-Ritter reported a bug in psad-2.2.1 where the protocols file is not
bundled with the psad RPM's or included in the psad RPM .spec files.
Commits on Jul 27, 2013
@mrash minor --stdin usage text addition 4f0a212
@mrash [test suite] added --test-limit command line arg 3b7d73b
Commits on Jul 29, 2013
@mrash fix uninitilized scan danger level for IP block renewals when FLUSH_I…
…PT_AT_INIT=N, closes #6
Commits on Sep 30, 2013
@mrash minor auto_dl spacing update cb891a8
@mrash Added detection for Errata Security's "Masscan" port scanner
Added detection for Errata Security's "Masscan" port scanner that was
used in an Internet-wide scan for port 22 on Sept. 12, 2013 (see:
The detection strategy used by psad relies on the fact that masscan does
not appear to set the options portion of the TCP header, and if the
iptables LOG rules that generate log data for psad are built with the
--log-tcp-options switch, then no options in a SYN scan can be seen.
This is not to say that other scanning software always sets TCP options -
Scapy seems to not set options by default when issuing a SYN scan like
this either:
There is a new psad.conf variable "EXPECT_TCP_OPTIONS" to assist with
Masscan detection as well.  When looking for Masscan SYN scans, psad
requires at least one TCP options field to be populated within a LOG
message (so that it knows --log-tcp-options has been set for at least
some logged traffic), and after seeing this then SYN packets with no
options are attributed to Masscan traffic.  All usual psad threshold
variables continue to apply however, so (by default) a single Masscan
SYN packet will not trigger a psad alert.  Masscan detection can be
disabled altogether by setting EXPECT_TCP_OPTIONS to "N", and this will
not affect any other psad detection techniques such as passive OS
fingerprinting, etc.
Commits on Jan 13, 2014
@mrash [test suite] removed comments and blank lines for config files db91ca0
@mrash [test suite] added EXPECT_TCP_OPTIONS to config files d69cbdf
@mrash minor bug fix to auto-generate iptables logs in benchmark mode a91f735
@mrash bumped version to 2.2.2 679d49d
@mrash copyright date update dcbfd20
Commits on Jan 16, 2014
@mrash Added changelog data since psad-2.2.1 f8cb23e
Commits on Feb 07, 2014
@mrash Add compatibility with 'upstart' init daemons
- Added compatibility with 'upstart' init daemons with assistance from Tim
Kramer.  This change adds a new config variable 'ENABLE_PSADWATCHD' that
can be used to disable psadwatchd when deployed with upstart since it
has built-in process monitoring and restarting capabilities.  In addition,
a new init script located at init-scripts/upstart/psad has been added that
is compatible with upstart - this script is meant to be copied to the
/etc/init.d/ directory.
@mrash moved the upstart init script psad.conf to psad 77f4083
Commits on Feb 08, 2014
@mrash fix psad version in psad.h 9ef5930
@mrash close pid files as early as possible in psadwatchd 0d95d88
@mrash [test suite] added ENABLE_PSADWATCHD var to test suite config files 53cd31a
@mrash write syslog message if an existing psad is already running 693b3b2
@mrash better pid file error reporting under syslog for psadwatchd b0bd270
@mrash (Wolfgang Breyha) Bug fix to allow VLAN interfaces and interface alia…

This fixes issue #8 on github.
Commits on Feb 14, 2014
@mrash minor bug fix in psadwatchd to not have duplicate '/' in directory path 11ea904
Commits on Feb 15, 2014
@mrash tcpwrappers /etc/hosts.deny permissions bug fix
Bug fix to not modify /etc/hosts.deny permissions when removing
tcpwrappers auto-block rules. This issue was reported as Debian bug #724267
( and relayed via
Franck Joncourt. Closes issue #7 on github.
@mrash update to properly credit Franck for being the Debian package maintainer 8d287b8
Commits on Mar 02, 2014
@mrash remove any trailing newline char for pid value b3a86df
@mrash moved psad upstart config to psad.conf (meant to be copied to /etc/in…
@mrash set ENABLE_PSADWATCHD to 'N' by default 6bd297f
@mrash bump version to psad-2.2.3 98763c9
@mrash changes since 2.2.2 af89afe
@mrash update to properly credit Franck for being the Debian package maintainer 9052bf0
@mrash Merge branch 'master' of ssh:// 077b9fd
Commits on Jun 17, 2014
@mrash minor psad.conf comment update 5fb2d6d
Commits on Aug 21, 2014
@mrash Bug fix to not create zombie whois processes
Bug fix to not create zombie whois processes when whois lookups take too
long to complete for whatever reason (slow network, etc.). This fixes
issue #15 on Github. The bug was reported by "3Turtles" to the psad
mailing list, and Dan Dickey provided valuable input.
@mrash Merge branch 'master' of ssh:// 5e6ab05
@mrash Added the abiliy to exec a script upon a blocking rule being added.
(Steve Murphy) Added the ability to run an external script whenever an
IP is blocked. Two new config variables were added to support this
@mrash bumped version to 2.2.4-pre1 51317a1
@mrash Merge branch 'master' of ssh:// c0d49ba
@mrash make per-alert tracking specific to the non-blocking external script 3d40022
Commits on Dec 26, 2014
@mrash [test suite] add missing vars to test config files 91a3c6a
Commits on Dec 28, 2014
@mrash fix uninitialized var bug in --fw-block-ip handling (issue #17) 1c45056
@mrash bug fix for reverse DNS lookups against IP addresses that cannot be r…
@mrash bumped version to 2.2.4 5220e1d
@mrash changes since 2.2.3 fbb5782
Commits on Jan 13, 2015
@mrash 2.2.4-pre2 57779c4
@mrash fix uninitialized var in auto blocking mode when printing status b6d16b7
Commits on Jan 17, 2015
@mrash bugfix to restore alarm(0) calls 1dd0bf2
@mrash add killall for whois processes for which an alarm has gone off 0e72c57
@mrash minor SNORT capitalization update c082e67
Michael Rash updated 2.2.4 release date 9b12d58
@mrash changes since 2.2.3 56e9caf
@mrash minor ChangeLog typo fix ed20606
Commits on Feb 10, 2015
@mrash added a signature for fwknop SPA traffic to the default port of UDP 6…
@mrash exit status bug fix in --uninstall mode spotted by Rinck Sonnenberg 17e0da1
@mrash add Rinck Sonnenberg 257174e
@mrash updated ChangeLog for 2.2.5 and bumped version b601e30
@mrash added fwknop SPA packet for fwknop detection test a34431b
@mrash Merge branch 'master' of
@mrash changes since 2.2.4 557f09c
Commits on Feb 17, 2015
@mrash deps/ modules update to the latest versions from CPAN cc23842
@mrash Bit-Vector-7.4 86eb047
@mrash Bit-Vector-7.4 b7cfeef
@mrash Date-Calc-6.3 26682fa
@mrash Fix boolean compilation issue on Fedora 21
This commit fixes the following bug:

In file included from /usr/lib64/perl5/CORE/handy.h:73:0,
                 from /usr/lib64/perl5/CORE/perl.h:2513,
                 from Calc.xs:15:
ToolBox.h:92:24: error: expected identifier before numeric constant
         typedef enum { false = FALSE, true = TRUE } boolean;
Makefile:392: recipe for target 'Calc.o' failed
make: *** [Calc.o] Error 1
@mrash NetAddr-IP-4.075 2a8adec
@mrash Storable-2.51 00873bb
@mrash added Carp::Clan 23cf81e
Commits on Feb 18, 2015
@mrash add command logging 62479fd
@mrash add -h output, allow multiple --include / --exclude options 13c73fb
Commits on Feb 23, 2015
@mrash update to IPTables-ChainMgr 1.3 and IPTables-Parse 1.3 ddb4439
Commits on Feb 24, 2015
@mrash let IPTables::Parse work out whether to use firewall-cmd a1f1232
Commits on Feb 28, 2015
@mrash add support for firewalld via firewall-cmd (with IPTables::Parse) 84d271a
Commits on Mar 01, 2015
@mrash updated to IPTables::Parse 1.4 2b7a771
@mrash fix flow control precedence operator warning in fwcheck_psad 00ab92c
Commits on Mar 02, 2015
@mrash allow firewall-cmd to be leveraged by fwcheck_psad 338474f
@mrash minor copyright update 9001431
Commits on Mar 03, 2015
@mrash Fixed --HUP exit status
Bug fix reported by Brad Rubenstein to ensure exiting with a proper exit
status in 'psad --HUP' mode. This was also extended to ensure better
exit status returns in other modes as well such as --Status, and --USR1.
Fixes issue #11 on github.
Commits on Mar 04, 2015
@mrash restore test suite success for --fw-analyze cycle 4ddfe95
Commits on Mar 07, 2015
@mrash minor simplification of the main log processing loop 59716df
@mrash further main loop simplification a5a9d90
@mrash additional main loop simplification 8bb92f2
Commits on Mar 09, 2015
@mrash Add support for reading syslog messages from journalctl
Added support for reading syslog messages from journalctl on systems
where syslog data is tied into systemd. Although this functionality is
not enabled by default for now, it may be at a later time as more Linux
systems appear move to systemd. To enable reading from journaltcl, then
set the ENABLE_FW_MSG_READ_CMD variable in /etc/psad/psad.conf to Y.
When enabled, by default the command executed by psad to acquire syslog
data is '/bin/journalctl -f -k', but both the command path and the
command args can be altered with the FW_MSG_READ_CMD and
FW_MSG_READ_CMD_ARGS variables respectively.
@mrash add FW_MSG_READ_CMD vars to test suite config files 5fcc3b4
@mrash add check for systemd-journald process af0ad04
Commits on Mar 13, 2015
@mrash Syslog time format parsing bug fix
Bug fix reported by Shlomit Afgin to handle the syslog time format that
looks like this: '2015-03-08T02:25:11.444012+02:00 servername kernel: ..'
Commits on Mar 14, 2015
@mrash allow psad to parse custom syslog date/time formats f1fc5ed
Commits on Mar 15, 2015
@mrash minor signature msg field typo fix bbcfcbe
@mrash reorganize main loop to run post processing of log data according to …
…file handle style
@mrash reduce can_read() check to a half second 7f287f1
Commits on Mar 16, 2015
@mrash auto-detect journalctl, restart journalctl read command if necessary 2bb81ac
Commits on Mar 18, 2015
@mrash bumped version to 2.4.0 c5bd711
Commits on May 10, 2015
@mrash Account for older versions of IPTables::ChainMgr that don't export _cmd
Github user itoffshore reported an issue #19 on Alpine Linux where the
following error was produced in 'psad -L' mode:

[+] Listing chains from IPT_AUTO_CHAIN keywords...

Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 6701.
[*]  -t filter -n -L PSAD_BLOCK_INPUT -v does not look like an iptables
command. at /usr/sbin/psad line 6701.

This error was produced because a pre-1.3 version of IPTables::ChainMgr
is installed on the system, and it doesn't export the _cmd hash key
(which is actually exported first by the IPTables::Parse module).
Commits on May 12, 2015
@mrash changes since 2.4.0 7c64d52
Commits on May 13, 2015
@mrash Bug fix to honor IGNORE_PROTOCOLS for non-tcp/udp/icmp protocols
This bug was reported by Paul Versloot.
@mrash added config vars to enable/disable whois and reverse DNS lookups e596a50
@mrash bumped version to 2.4.1 7534df2
@mrash extend IGNORE_PROTOCOLS to match on both numeric protocol and text st…
…ring regardless of what iptables reports