psad v2.4.5 - Intrusion Detection and Log Analysis with iptables.

psad v2.4.5 – Intrusion Detection and Log Analysis with iptables.

Changelog psad(The Port Scan Attack Detector) v2.4.5:
– Added proper port sweep detection based on a single port being probed across a configurable number of destination hosts. The number of destinations is controlled by the following new configuration variables (and associated defaults) in the psad.conf file:


The PORT_RANGE_SWEEP_THRESHOLD variable is set to zero by default to denote a sweep for a single port. The comparison is made as an “equals” test against this variable. So a scan that trips the PORT_RANGE_SCAN_THRESHOLD can be changed to a sweep if PORT_RANGE_SWEEP_THRESHOLD is changed to a value greater than PORT_RANGE_SCAN_THRESHOLD and if at least DL1_UNIQUE_HOSTS are hit.

– Bug fix to apply syslog only ALERTING_METHOD properly when an email throttle is also set. This issue was reported by @joshlinx on github as issue #44.
– Bug fix to include top signature matches in ‘psad –Status’ output. This issue was reported by @joshlinx on github as issue #41.
– In the psad.conf file, change the ENABLE_PERSISTENCE default to “N” in order to (by default) limit psad’s memory consumption. The trade off is that really “low and slow” scans may be missed in exchange for a better operational model. Note the MAX_SCAN_IP_PAIRS variable can also be used to control memory consumption if ENABLE_PERSISTENCE is enabled.

psad v2.4.5

The Port Scan Attack Detector psad is a lightweight system daemon written in is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, reverse DNS info, email and syslog alerting, automatic blocking of offending IP addresses via dynamic configuration of iptables rulesets, passive operating system fingerprinting, and DShield reporting. In addition, psad incorporates many of the TCP, UDP, and ICMP signatures included in the Snort intrusion detection system. to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (Mstream, Shaft), and advanced port scans (SYN, FIN, XMAS) which are easily leveraged against a machine via nmap. psad can also alert on Snort signatures that are logged via fwsnort, which makes use of the iptables string match extension to detect traffic that matches application layer signatures. As of the 2.4.4 release, psad can also detect the IoT default credentials scanning phase of the Mirai botnet.

psad – Intrusion Detection with iptables Logs

+ Detection for TCP SYN, FIN, NULL, and XMAS scans as well as UDP scans.
+ Support for both IPv4 and IPv6 logs generated by iptables and ip6tables respectively.
+ Detection of many signature rules from the Snort intrusion detection system.
+ Forensics mode iptables/ip6tables logfile analysis (useful as a forensics tool for extracting scan information from old iptables/ip6tables logfiles).
+ Passive operating system fingerprinting via TCP syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables/ip6tables log messages (requires the –log-tcp-options command line switch), and a TOS-based strategy.
+ Email alerts that contain TCP/UDP/ICMP scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
+ Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
+ Icmp type and code header field validation.
+ Configurable scan thresholds and danger level assignments.
+ Iptables ruleset parsing to verify “default drop” policy stance.
+ IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
+ DShield alerts.
+ Auto-blocking of scanning IP addresses via iptables/ip6tables and/or tcpwrappers based on scan danger level. (This feature is NOT enabled by default.)
+ Parsing of iptables/ip6tables log messages and generation of CSV output that can be used as input to AfterGlow. This allows iptables/ip6tables logs to be visualized. Gnuplot is also supported.
+ Status mode that displays a summary of current scan information with associated packet counts, iptables/ip6tables chains, and danger levels.


Source: | Our Post Before