IDS mailing list archives
psad-2.0.4 released
From: Michael Rash <mbr () cipherdyne org>
Date: Sat, 27 Jan 2007 12:33:32 -0500
Hi all - psad-2.0.4 has been released. Here is the complete change log: - Added Snort rule matches to syslog alerts. Multiple matches can be controlled with new configuration variables in psad.conf: ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and SIG_SID_SYSLOG_THRESHOLD. - Bugfix to include scanned UDP port ranges in syslog alerts. - Bugfix to parse SEQ and ACK iptables log message fields (requires --log-tcp-sequence on the iptables command line). This allows the ipEye signature to work. - Added --debug-sid to allow a specific Snort rule to be debugged while psad runs it through its detection engine. A consequence of this is that the -d command line argument must be spelled out, i.e. "psad --debug". - Bugfix to allow logging prefixes to omit trailing spaces. This is a bug in the iptables logging format to allow this in the first place, but before this gets fixed psad needs to compensate. - Bugfix for syslog-ng init script path in install.pl. - Bugfix to include a "source" definition for /proc/kmsg if not already defined for syslog-ng daemons. - Minor memory handling bugfixes discovered by the excellent Valgrind project: http://www.valgrind.org Another interesting bit of news is that Tenable Network Security has added support for importing psad syslog events into their products: http://blog.tenablesecurity.com/2007/01/psad_rules_for_.html http://www.cipherdyne.org/blog/2007/01/tenable-network-security-and-log-parser-for-psad-events.html As usual, psad can be downloaded from: http://www.cipherdyne.org/psad/download/ Also, I've updated cipherdyne.org to include blog style links (RSS and Atom feeds are available too), so the complete psad-2.0.4 release posting can be found here (includes few sample syslog signature matches reported by psad): http://www.cipherdyne.org/blog/2007/01/software-release-psad-2.0.4.html -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- psad-2.0.4 released Michael Rash (Jan 29)