cipherdyne.org

27 January, 2007

The 2.0.4 release of psad is ready for download. This release updates the syslog logging format to include specific Snort rule matches. These rules matches are derived by psad either from iptables logs directly, or from the SID values of Snort rules that are detected by fwsnort. Here is an example:
Jan 25 22:08:10 minastirith psad: src: 2.2.2.2 signature match: "MISC VNC communication attempt" (sid: 100202) tcp port: 5900
Jan 25 22:08:10 minastirith psad: scan detected: 2.2.2.2 -> 1.1.1.1 tcp: [5900] flags: SYN tcp pkts: 1 DL: 3
Jan 25 22:08:25 minastirith psad: src: 2.2.2.2 signature match: "MISC Microsoft SQL Server communication attempt" (sid: 100205) tcp port: 1433
Jan 25 22:08:25 minastirith psad: scan detected: 2.2.2.2 -> 1.1.1.1 tcp: [1433] flags: SYN tcp pkts: 2 DL: 3
There are also a few bugfixes for iptables logging prefixes, and also for syslog-ng compatibility. Here is the ChangeLog:

• Added Snort rule matches to syslog alerts. Multiple matches can be controlled with new configuration variables in psad.conf: ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and SIG_SID_SYSLOG_THRESHOLD.
• Bugfix to include scanned UDP port ranges in syslog alerts.
• Bugfix to parse SEQ and ACK iptables log message fields (requires --log-tcp-sequence on the iptables command line). This allows the ipEye signature to work.
• Added --debug-sid to allow a specific Snort rule to be debugged while psad runs it through its detection engine. A consequence of this is that the -d command line argument must be spelled out, i.e. "psad --debug".
• Bugfix to allow logging prefixes to omit trailing spaces. This is a bug in the iptables logging format to allow this in the first place, but before this gets fixed psad needs to compensate.
• Bugfix for syslog-ng init script path in install.pl.
• Bugfix to include a "source" definition for /proc/kmsg if not already defined for syslog-ng daemons.
• Minor memory handling bugfixes discovered by valgrind the excellent Valgrind project.