Software Release: psad-2.4.6 and fwsnort-1.6.8
31 July, 2018
A pair of software releases is available for download - psad-2.4.6 and fwsnort-1.6.8. The main change is that now both pieces of software support the Snort 'metadata' keyword. This keyword and associated field is a common fixture of modern Snort rule sets, and usually contains important data such as IPS policy preferences, information about vulnerable target software or OS, date created, and more.As an example, when fwsnort detects TCP traffic over port 21 that matches the Snort rule "ET ATTACK_RESPONSE FTP inaccessible directory access COM2" (sid 2000500), the following syslog message is generated:
Jul 30 21:24:44 moria kernel: [650982.555939] [1] SID2000500 ESTAB IN=enx0014d1b0da65 OUT= MAC=00:12:34:56:78:65:60:e3:27:39:12:34:56:00 SRC=192.168.10.11 DST=192.168.10.1 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=58801 DPT=21 WINDOW=4117 RES=0x00 ACK PSH URGP=0 OPT (0101080A4538966A09B20FBC)When psad monitors this out of the syslog data, an email alert is generated as usual. However, in this email alert the metadata 'created_at' and 'updated_at' fields are now included as defined in the original rule:
"ET ATTACK_RESPONSE FTP inaccessible directory access COM2" dst port: 21 (no server bound to local port) flags: ACK PSH content: "/COM2/" content: "/COM2/" sid: 2000500 chain: FWSNORT_INPUT_ESTAB packets: 36 classtype: string-detect reference: (url) http://doc.emergingthreats.net/bin/view/Main/2000500 reference: (url) http://doc.emergingthreats.net/bin/view/Main/2000500 created_at 2010_07_30 updated_at 2010_07_30