IDS mailing list archives

Previous By Date Next
Previous By Thread Next

psad-2.0.4 released

From: Michael Rash <mbr () cipherdyne org>
Date: Sat, 27 Jan 2007 12:33:32 -0500
Hi all -

psad-2.0.4 has been released.  Here is the complete change log:

- Added Snort rule matches to syslog alerts.  Multiple matches can
  be controlled with new configuration variables in psad.conf:
  ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and
  SIG_SID_SYSLOG_THRESHOLD.
- Bugfix to include scanned UDP port ranges in syslog alerts.
- Bugfix to parse SEQ and ACK iptables log message fields (requires
  --log-tcp-sequence on the iptables command line).  This allows the
  ipEye signature to work.
- Added --debug-sid to allow a specific Snort rule to be debugged
  while psad runs it through its detection engine.  A consequence of
  this is that the -d command line argument must be spelled out, i.e.
  "psad --debug".
- Bugfix to allow logging prefixes to omit trailing spaces.  This is
  a bug in the iptables logging format to allow this in the first place,
  but before this gets fixed psad needs to compensate.
- Bugfix for syslog-ng init script path in install.pl.
- Bugfix to include a "source" definition for /proc/kmsg if not already
  defined for syslog-ng daemons.
- Minor memory handling bugfixes discovered by the excellent Valgrind
  project: http://www.valgrind.org

Another interesting bit of news is that Tenable Network Security has
added support for importing psad syslog events into their products:

http://blog.tenablesecurity.com/2007/01/psad_rules_for_.html
http://www.cipherdyne.org/blog/2007/01/tenable-network-security-and-log-parser-for-psad-events.html

As usual, psad can be downloaded from:

http://www.cipherdyne.org/psad/download/

Also, I've updated cipherdyne.org to include blog style links (RSS and
Atom feeds are available too), so the complete psad-2.0.4 release
posting can be found here (includes few sample syslog signature matches
reported by psad):

http://www.cipherdyne.org/blog/2007/01/software-release-psad-2.0.4.html

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: