• Jun 16, 2017

    2.4.6-pre1

    bug fix for ENABLE_OVERRIDE_FW_CMD feature to use correct hash key
    
  • Jun 14, 2017

    2.4.5

    psad-2.4.5 (06/13/2017):
        - Added proper port sweep detection based on a single port being probed
          across a configurable number of destination hosts. The number of
          destinations is controlled by the following new configuration variables
          (and associated defaults) in the psad.conf file:
    
              DL1_UNIQUE_HOSTS            10;
              DL2_UNIQUE_HOSTS            20;
              DL3_UNIQUE_HOSTS            50;
              DL4_UNIQUE_HOSTS            100;
              DL5_UNIQUE_HOSTS            500;
              PORT_RANGE_SWEEP_THRESHOLD  0;
    
          The PORT_RANGE_SWEEP_THRESHOLD variable is set to zero by default to
          denote a sweep for a single port. The comparison is made as an "equals"
          test against this variable. So a scan that trips the
          PORT_RANGE_SCAN_THRESHOLD can be changed to a sweep if
          PORT_RANGE_SWEEP_THRESHOLD is changed to a value greater than
          PORT_RANGE_SCAN_THRESHOLD and if at least DL1_UNIQUE_HOSTS are hit.
    
        - Bug fix to apply syslog only ALERTING_METHOD properly when an email
          throttle is also set. This issue was reported by @joshlinx on github as
          issue #44.
        - Bug fix to include top signature matches in 'psad --Status' output. This
          issue was reported by @joshlinx on github as issue #41.
        - In the psad.conf file, change the ENABLE_PERSISTENCE default to "N" in
          order to (by default) limit psad's memory consumption. The trade off is
          that really "low and slow" scans may be missed in exchange for a better
          operational model. Note the MAX_SCAN_IP_PAIRS variable can also be used
          to control memory consumption if ENABLE_PERSISTENCE is enabled.
        - Added new variables ENABLE_OVERRIDE_FW_CMD and FW_CMD to force a path to
          a firewall binary to be set instead of having psad search for standard
          installation paths.
  • Jun 6, 2017

    2.4.5-pre1

    psad-2.4.5-pre1 release
    - Added proper port sweep detection based on a single port being probed
      across a configurable number of destination hosts. The number of
      destinations is controlled by the following new configuration variables
      (and associated defaults) in the psad.conf file:
    
          DL1_UNIQUE_HOSTS            10;
          DL2_UNIQUE_HOSTS            20;
          DL3_UNIQUE_HOSTS            50;
          DL4_UNIQUE_HOSTS            100;
          DL5_UNIQUE_HOSTS            500;
    
    - Bug fix to apply syslog only ALERTING_METHOD properly when an email
      throttle is also set. This issue was reported by @joshlinx on github as
      issue #44.
    - Bug fix to include top signature matches in 'psad --Status' output. This
      issue was reported by @joshlinx on github as issue #41.
    - In the psad.conf file, change the ENABLE_PERSISTENCE default to "N" in
      order to (by default) limit psad's memory consumption. The trade off is
      that really "low and slow" scans may be missed in exchange for a better
      operational model. Note the MAX_SCAN_IP_PAIRS variable can also be used
      to control memory consumption if ENABLE_PERSISTENCE is enabled.
  • Feb 20, 2017

    2.4.4

    psad-2.4.4 (02/20/2017):
        - Added detection for Mirai botnet default credentials scans. These scans
          follow a well-defined pattern of 10 connections to TCP port 23 (telnet)
          followed by a connection to TCP port 2323.
        - Added installation support (install.pl and 'psad.service' file) for
          systems running systemd.
        - Bug fix to not remove auto-blocked IP's from a running psad instance
          with 'psad --Status'.
        - Updated to version 5.2.13 of the whois client.
        - Updated to IPTables::ChainMgr 1.6.
  • Dec 19, 2015

    2.4.3

    psad-2.4.3 (12/19/2015):
        - Bug fix in fwcheck_psad related to an uninitialized variable related to
          firewalld deployments.
        - Bug fix to add psad process into -K, -S, and -R handling if psad is
          reading iptables logs via journalctl. This is necessary because psad
          fork()'s an extra copy of itself when reading via journalctl.
        - Updated to IPTables::ChainMgr 1.5.
  • Nov 29, 2015

    2.4.2

    psad-2.4.2 (11/29/2015):
        - Bug fix to apply the EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking
          emails (reported by itoffshore@github).
        - Bug fix to include the META.yml file for the Unix::Syslog module. This
          issue was reported by github user itvasile as issue #26.
        - Updated IPTables::ChainMgr and IPTables::Parse to 1.4 and 1.6.1
          respectively. The IPTables::Parse update is important because of a
          security vulnerability fixed by Miloslav Trmač. This vulnerability was
          an issue where temporary files used predictable names, and this could be
          leveraged by a local attacker to overwrite any files to which the
          attacker has write permissions.
        - With the update to IPTables::Parse 1.6.1, the path to the
          iptables/ip6tables/firewall-cmd binary is worked out by the module
          directly instead of by psad.
  • May 12, 2015
  • Mar 18, 2015
  • Feb 10, 2015
  • Jan 17, 2015