cipherdyne.org

Michael Rash, Security Researcher



Software Releases    [Summary View]

« Previous

Software Release - psad-2.1.1

Software Release - psad-2.1.1 The 2.1.1 release of psad is ready for download. This release focuses on support for some of the latest Linux distributions, such as Ubuntu 7.10 and Fedora 8. There is also a new mode that allows psad to collect iptables logging data directly from a file that is written to by syslog instead of via the previous named pipe data collection mechanism. Here is the complete ChangeLog:
  • Added a new feature whereby psad can acquire iptables log data just by parsing an existing file (/var/log/messages by default) that is written to by syslog. By default, psad acquires iptables log data from the /var/log/psad/fwdata file which is written to by kmsgsd, but on some systems, having syslog communicate log data to kmsgsd can be problematic since syslog configs and external factors such as Apparmor and SELinux can play a role here. This new feature is controled by two new configuration variables "ENABLE_SYSLOG_FILE" (to enable/disable the feature) and "IPT_SYSLOG_FILE" to specifiy the path to the file to parse.
  • Better installation support for various Linux distributions including Fedora 8 and Ubuntu. The current runlevel is now acquired via the "runlevel" command instead of attempting to read /etc/inittab (which does not even exist on Ubuntu 7.10), and there are new command line arguments --init-dir, --init-name, and --runlevel to allow the init directory, init script name, and the runlevel to be manually specified on the install.pl command line.
  • Updated psad to automatically handle situations where the either the /var/log/psad/fwdata file or the /var/log/messages file (whichever syslog is writing iptables log messages to) gets rotated. The filehandle is closed and reopened if the file shrinks or if the inode changes. This strategy is borrowed from how the fwknop project deals with the filesystem packet capture file.
  • Minor bugfix to generate syslog message when restarting a psad process.
  • Updated install.pl to set the LC_ALL environmental variable to "C" This should address some issues with installing psad on non-English locale systems.
  • Updated install.pl to be compatible with the rsyslog daemon, which is commonly installed on Fedora 8 systems.

fwsnort-1.0.4 Software Release

fwsnort-1.0.4 Software Release The 1.0.4 release of fwsnort is ready for download. This release is mostly a bugfix release for bugs discovered and patched by Grant Ferley (thanks for the contributions both on the fwsnort mailing list and also via personal correspondence). Because these fixes mostly apply to the IPTables::Parse perl module, they will also make it into the psad and fwknop projects. Here is the full ChangeLog:
  • (Grant Ferley) Submitted patch to exclude loopback interfaces from iptables allow rules parsing. This behavior can be reversed with the existing --no-exclude-loopback command line argument.
  • (Grant Ferley) Submitted patch to IPTables::Parse to take into account iptables policy output that contains "0" instead of "all" to represent any protocol.
  • (Grant Ferley) Submitted patch to IPTables::Parse to set sport and dport to '0:0' if the protocol is 'all'.
  • Bugfix to allow negated networks to be specified within iptables allow rules or within the fwsnort.conf file.
  • Updated install.pl to set the LC_ALL environmental variable to "C". This should fix potential locale problems (this fix was borrowed from the fwknop project).

Software Release - fwknop-1.9.0

fwknop-1.9.0 release The 1.9.0 release of fwknop is ready for download. This release introduces major new functionality including inbound NAT support for authenticated connections (iptables firewalls only for now), iptables OUTPUT chain support, a test suite for SPA communications, the ability of the fwknopd daemons to restart themselves after a configurable length of time, and more.

Below is the output of the new test suite running on a Linux system: # ./fwknop_test.pl

[+] ==> Running fwknop test suite; firewall: iptables <==

[+] perl program compilation.........................................pass (0)
[+] C program compilation............................................pass (1)
[+] Stopping any running fwknopd processes...........................pass (2)
[+] Flushing all fwknop iptables rules...............................pass (3)
[+] Testing Rijndael key validity....................................pass (4)
[+] Generating SPA access packet with fwknop client..................pass (5)
[+] Sniffing SPA access packet to acquire access.....................pass (6)
[+] Firewall access rules exist......................................pass (7)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (8)
[+] Stopping all running fwknopd processes...........................pass (9)
[+] Replay attack detection..........................................pass (10)
[+] SPA packet randomness............................................pass (11)
[+] Generating SPA packet with 0.0.0.0 src addr......................pass (12)
[+] Sniffing packet source address with 0.0.0.0 src addr.............pass (13)
[+] Generating SPA packet with invalid user..........................pass (14)
[+] Invalid user detection...........................................pass (15)
[+] Generating SPA command packet....................................pass (16)
[+] Sniffing SPA command packet and executing........................pass (17)
[+] Making sure firewall rules have been removed.....................pass (18)
[+] Generating SPA command packet with non-matching regex............pass (19)
[+] SPA command packet filtered......................................pass (20)
[+] Making sure firewall rules do not exist..........................pass (21)
[+] Stopping all running fwknopd processes...........................pass (22)
[+] Generating FORWARD chain access packet...........................pass (23)
[+] FORWARD request detection........................................pass (24)
[+] FORWARD and DNAT access..........................................pass (25)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Making sure firewall rules have been removed.....................pass (26)
[+] Stopping all running fwknopd processes...........................pass (27)
[+] Generating SPA access packet with fwknop client..................pass (28)
[+] SPA communications via tcpdump capture file......................pass (29)
[+] Firewall access rules exist......................................pass (30)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (31)
[+] Stopping all running fwknopd processes...........................pass (32)
[+] Deleting all fwknopd iptables chains.............................pass (33)

[+] ==> Passed 34 tests against fwknop. <==
For those interested in the changes in the fwknop-1.9.0 release, here is the complete ChangeLog:
  • Added a test suite so that fwknop and fwknopd functionality can be automatically tested over the loopback interface (see the fwknop_test.pl script in the test/ directory).
  • Major update to allow SPA packets to create DNAT connections to internal systems through the FORWARD chain (iptables only). This is useful to connect through to internal systems (that may be running on non-routable IP addresses) via a border firewall or router that is running fwknopd to create inbound DNAT rules.
  • Added support for the iptables OUTPUT chain via two new variable in the fwknop.conf file: ENABLE_IPT_OUTPUT and IPT_OUTPUT_ACCESS. This is useful for iptables firewalls that are not running the conntrack modules and that have a restrictive OUTPUT chain (so SYN/ACK responses are not allowed out without an explicit ACCEPT rule).
  • Added the ability to force the fwknopd and knoptm daemons to restart themselves (via knopwatchd) after a configurable timeout (see the ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the /etc/fwknop/fwknop.conf file). This feature is for those that want fwknopd to go through its initialization routine periodically just in case there is a logic (or other) bug that might result in fwknopd not accepting a valid SPA packet. NOTE: This feature is disabled by default, and is not normally needed since fwknopd is quite stable in most deployments.
  • Major update to perform all firewall rule expirations with knoptm, which is now started in all data collection modes. Older versions of fwknopd maintained its own firewall rule expiration code for the FILE_PCAP, ULOG_PCAP, and KNOCK modes, so two mechanisms were being maintained for the same purpose. The 1.9.0 release fixes this oversight.
  • Minor bugfix to have knopwatchd generate syslog messages whenever an fwknop daemon needs to be restarted.
  • Added --interface command line argument to install.pl to allow the sniffing interface to be specified from the command line. Also updated install.pl to enforce a 10-try maximum for attempting to accept a valid interface name from the command line (LANG env issues can exist sometimes).
  • Updated SPA packet format for server_auth and forward_info elements; the internal MD5 sum is now always the last field in an SPA packet. This makes extensions of the SPA protocol much easier, and the generation of SPA packets more elegant. Also, SPA packet validation has been improved to ensure that fields that are supposed to be digits really only contain integer data.
  • Added ENABLE_FORWARD_ACCESS variable to the access.conf file, and added ENABLE_IPT_FORWARDING to the fwknop.conf file. These variables provide the per-SOURCE ability to create DNAT connnections through the FORWARD chain.
  • Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS in fwknop.conf.
  • Added --Forward-access argument to the fwknop client.
  • Added client version number to syslog messages generated by fwknopd when a valid SPA packet is received.
  • Added human readable timestamp to MD5 cache. Here is an example of the update format: 127.0.0.1 X6WF2C29kEgAv4aDJ8TDeQ [Wed Nov 28 09:24:46 2007]
  • Added --Count argument to fwknopd so that it calls exit() when the specified number of packets is monitored.
  • Added --no-logs argument to knoptm in support of the test suite so that no emails are generated.
  • Bugfix in fwknopd to account for non-Ethernet link layer header over *BSD loopback interfaces.
  • Added --Save-dst argument to the fwknop client to add a priority file to store client command line arguments (~/.fwknop.save). This file is only overwritten when --Save-dst is used.
  • Added fwknopd --fw-del-chains to allow the fwknopd iptables chains to easily be deleted.
  • Minor fwknopd bugfix to set process exit status to 0 when --Kill is used.

fwsnort-1.0.3 Software Release

fwsnort-1.0.3 Software Release The 1.0.3 release of fwsnort is ready for download. This release adds the ability to interpret basic PCRE's expressions (more detail below) and includes a major signature update from Bleeding Threats. A new command line argument --include-re-caseless allows fwsnort to restrict its translation operation to Snort rules that contain a regular expression (matched case-insensitively). For example, here is the command to build an iptables policy derived from Snort rules in the bleeding-all.rules file that contain the string "sid:2007" (for signatures that were added in 2007): # fwsnort --include-type bleeding-all --include-regex "sid:2007" --include-re-caseless
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Snort Rules File Success Fail Ipt_apply Total

[+] bleeding-all.rules 614 28 607 642
=======================================
614 28 607 642

[+] Generated iptables rules for 614 out of 642 signatures: 95.64%
[+] Found 607 applicable snort rules to your current iptables
policy.

[+] Logfile: /var/log/fwsnort.log
[+] iptables script: /etc/fwsnort/fwsnort.sh
This results in 607 successfully translated Snort rules, and here is the iptables command equivalent built by fwsnort for the "BLEEDING-EDGE MALWARE Softwarereferral.com Adware Checkin" signature: $IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp --dport 80 -m string --string "wmid=" --algo bm -m string --string "&mid=" --algo bm -m string --string "&lid=" --algo bm -m comment --comment "sid:2007696; msg:BLEEDING-EDGE MALWARE Softwarereferral.com Adware Checkin; classtype:trojan-activity; rev:1; FWS:1.0.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[15] SID2007696 ESTAB " Here is the full ChangeLog:
  • Added --include-re-caseless and --exclude-re-caseless options to have --include-regex and --exclude-regex options match case insensitively.
  • Major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal webservers from external sources.
  • Added the ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches. The only negative consequence in terms of signature detection is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/" would only match a packet that contains "UNION" followed by "SELECT", whereas an iptables rule that uses a string match for UNION and a separate string match for SELECT would match a packet that contains both strings but in reverse. Typically this is not a huge concern, and the PCRE translation can be disabled with a new option --no-pcre.
  • Added asn1 keyword to unsupported list.

fwknop Windows UI

fwknop Windows UI Sean Greven, a contributor to the fwknop project, has developed a UI for generating fwknop Single Packet Authorization messages from Windows systems without the need for the regular fwknop client to be installed. The UI can be downloaded here, and the source code (which Sean has contributed to fwknop under the GPL) can be downloaded here.

Although the fwknop client functions under Cygwin, it is an important step to be able to generate SPA packets without fwknop installed at all since many users do not run systems with Cygwin installed. With Sean's UI, users can easily leverage the strength of Single Packet Authorization to protect services such as SSHD on Linux, *BSD, or Mac OS X systems and authenticate from Windows at the same time. The UI is currently in a testing phase and the initial version supports symmetrically encrypted SPA messages (with the Rijndael cipher), but also leveraging GnuPG is on the roadmap.

Here is a screenshot of the UI installed on a Windows 2000 system. The UI is on the left, and the fwknopd daemon on the target (Linux) system is running in debug mode so that you can see the iptables ACCEPT rule added for the Windows client and then deleted after 30 seconds. Netfilter's connection tracking subsystem is used to keep any established connection open, but no new connections can be established unless another non-replayed SPA packet is sniffed off the wire by fwknopd:
fwknop Windows UI

Software Release - fwknop-1.8.3

fwknop-1.8.3 release The 1.8.3 release of fwknop is ready for download. This release reinstates the legacy port knocking operation mode (for those that really want to use it instead of Single Packet Authorization). A few bugs have also been fixed, particularly for the auto-resolution of external NAT addresses via www.whatismyip.org (and a backup resolution URL exists now as well that you can hit with the --URL option on the fwknop client command line).

Below is an illustration of the old port knocking mode in action. The fwknopd server running on 192.168.10.1 reconfigures the iptables policy to allow an SSH connection from the client system 192.168.10.2 after receiving the encrypted port knock sequence: $ fwknop -A tcp/22 -a 192.168.10.2 -D 192.168.10.1 --Server-mode knock
[+] Starting fwknop client (encrypted port knocking mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.

Encryption Key:
[+] Clear-text sequence (11 bytes): 192 168 10 2 0 22 6 28 109 98 114
[+] Cipher-text sequence (32 bytes): 83 97 108 116 101 100 95 95 110 133 220 202 45 184 129 230 175 166 62 162 104 46 183 22 193 82 17 126 174 38 76 222
[+] Sending port knocking sequence to knock server: 192.168.10.1
   -> 192.168.10.1 tcp/61083 (packet: 0)
   -> 192.168.10.1 tcp/61097 (packet: 1)
   -> 192.168.10.1 tcp/61108 (packet: 2)
   -> 192.168.10.1 tcp/61116 (packet: 3)
   -> 192.168.10.1 tcp/61101 (packet: 4)
   -> 192.168.10.1 tcp/61100 (packet: 5)
   -> 192.168.10.1 tcp/61095 (packet: 6)
   -> 192.168.10.1 tcp/61095 (packet: 7)
   -> 192.168.10.1 tcp/61110 (packet: 8)
   -> 192.168.10.1 tcp/61133 (packet: 9)
   -> 192.168.10.1 tcp/61220 (packet: 10)
   -> 192.168.10.1 tcp/61202 (packet: 11)
   -> 192.168.10.1 tcp/61045 (packet: 12)
   -> 192.168.10.1 tcp/61184 (packet: 13)
   -> 192.168.10.1 tcp/61129 (packet: 14)
   -> 192.168.10.1 tcp/61230 (packet: 15)
   -> 192.168.10.1 tcp/61175 (packet: 16)
   -> 192.168.10.1 tcp/61166 (packet: 17)
   -> 192.168.10.1 tcp/61062 (packet: 18)
   -> 192.168.10.1 tcp/61162 (packet: 19)
   -> 192.168.10.1 tcp/61104 (packet: 20)
   -> 192.168.10.1 tcp/61046 (packet: 21)
   -> 192.168.10.1 tcp/61183 (packet: 22)
   -> 192.168.10.1 tcp/61022 (packet: 23)
   -> 192.168.10.1 tcp/61193 (packet: 24)
   -> 192.168.10.1 tcp/61082 (packet: 25)
   -> 192.168.10.1 tcp/61017 (packet: 26)
   -> 192.168.10.1 tcp/61126 (packet: 27)
   -> 192.168.10.1 tcp/61174 (packet: 28)
   -> 192.168.10.1 tcp/61038 (packet: 29)
   -> 192.168.10.1 tcp/61076 (packet: 30)
   -> 192.168.10.1 tcp/61222 (packet: 31)
[+] Finished knock sequence.
$ ssh -l mbr 192.168.10.1
Password:
On the fwknopd server, the following messages are written to syslog that show an iptables ACCEPT rule being added for the 192.168.10.2 client system for 30 seconds and then removed. The SSH connection from the client remains open by using the Netfilter connection tracking subsystem to allow packets in the ESTABLISHED state through, but once the ACCEPT rule is removed no new SSH connections can be established: Nov 17 10:34:47 isengard fwknopd: successful knock decrypt for 192.168.10.2 (SOURCE block: 1)
Nov 17 10:34:47 isengard fwknopd: adding iptables FWKNOP_INPUT ACCEPT rule for 192.168.10.2 -> tcp/22 (30 seconds)
Nov 17 10:35:19 isengard fwknopd: removed iptables FWKNOP_INPUT ACCEPT rule for 192.168.10.2 -> tcp/22, 30 second timeout exceeded
Port knocking sequences do not necessarily have to be encrypted, and fwknop supports shared sequences. This can be useful to allow systems where perl is not installed to take advantage of some port knocking capabilities without requiring the fwknop client. In the screenshot below, the fwknopd server (in the right hand terminal) has been configured to accept a sequence that consists of the two TCP ports 1234 followed 5001. The client (in the left hand terminal) just needs to use any program such as netcat or telnet to hit these two ports, which generates iptables log messages at the fwknopd server where the shared sequence is parsed and validated. Once the correct sequence is seen, fwknopd opens port 22 for 30 seconds (this timeout is configured in the /etc/fwknop/access.conf file):
fwknop-1.8.3 release
For those interested in the changes in the fwknop-1.8.3 release, here is the complete ChangeLog:
  • Updated external IP resolution to point to http://www.whatismyip.org, and added http://www.cipherdyne.org/cgi/clientip.cgi as a backup site for fwknop IP resolution.
  • Added storage of source IP along with SPA MD5 sum. This allows the user to infer which networks are more hostile if an SPA packet is replayed.
  • Added SPA packet hex dumps in 'fwknopd --debug' mode so that the integration of third-party encryption algorithms is easier to troubleshoot. Sean Greven contributed a patch for this.
  • Reinstated the legacy port knocking mode. It appears that all encrypted output from the updated Crypt::Rijndael module is at least 32 bytes long, so port knocking sequences are now 32 bytes long as well (they were previously 16 bytes long in old versions of fwknop).
  • Bugfix to ensure the key length is at least 8 chars in --get-key mode.
  • Minor update to remove init message on OS X install.
  • Updated install.pl to set the LANG environmental variable to "en_US.UTF-8". This should fix the problem where the output of ifconfig was not interpreted correctly if the locale LANG setting is not English.
  • Implemented verbose email alerting by setting the ALERTING_METHODS variable to "verbose". This instructs fwknopd to generate a new email message for each message that it normally logs vis syslog (this feature is not the default, and must be manually enabled).

Software Release - psad-2.1

psad-2.1 released The 2.1 release of psad is ready for download. This release completes the 2.0.x development series with a few minor bugfixes and the addition of a patch against iptables to enforce trailing spaces in log prefixes. Here is the ChangeLog:
  • Changed EMAIL_LIMIT model to apply to scanning source addresses only instead of also factoring in the destination address. The original src/dst email limit behavior can be restored by setting a new variable "ENABLE_EMAIL_LIMIT_PER_DST" to "Y".
  • Added the patches/iptables-1.3.8_LOG_prefix_space.patch file which can be applied to the iptables-1.3.8 code to enforce a trailing space character before any log prefix when a LOG rule is added. This ensures that the user cannot break the iptables syslog format just by forgetting to include a space at the end of a logging prefix.
  • Bugfix to ensure that parsing TCP options does not descend into an infinite loop in some some circumstances with obscure or maliciously constructed options. Also added syslog reporting for broken options lengths of zero or one byte (the minimum option length is two bytes to accomodate the TLV encoding).
  • Bugfix to enforce the usage of --CSV-fields in --gnuplot mode.
  • Implemented --get-next-rule-id so that it is easy to assign a new rule ID to a new signature in the /etc/psad/signatures file.
  • Updated to just call die() if GetOpt fails; this allows erroneous usage of the command line to display informative error messages more clearly.

Software Release - fwknop-1.8.2

fwknop-1.8.2 release The 1.8.2 release of fwknop is ready for download. This release is the first serious attempt at allowing fwknop to function as a Single Packet Authorization server on Mac OS X systems. Also, several bug fixes and minor command line arguments were added. Here is a screenshot of the fwknop client running under Cygwin on Windows 2000 system that is itself running underneath VMware on Ubuntu Linux. The fwknop client builds an SPA message in the window on the left, and the window on the right shows the syslog messages that are written by the fwknopd server on the Linux machine. Only after the SPA packet is sent does the Windows 2000 system have access to SSH on the Linux box.

fwknop-1.8.2 release

Here is the complete ChangeLog:
  • Added fwknopd server support for Mac OS X. The Darwin uname return string is detected and this enables Darwin-specific installation code in install.pl.
  • Updated to not print sensitive key/password information in --debug mode with fwknopd.
  • Bugfix for install.pl on Windows 2003 Server running under Cygwin where 'uname -o' output is reported 'Gygwin' for some reason.
  • Added --Cygwin-install command line argument to install.pl to force client-only fwknop install on Cygwin systems.
  • Added --OS-type command line argument to install.pl to allow the user to force the installation type.
  • Updated to version 1.04 of Crypt::Rijndael. This fixes incompatibilities between SPA packets between 64-bit and 32-bit platorms.
  • Bugfix to enforce a maximum of 20 tries to read a password from stdin.
  • Applied TCP options parsing fix from psad for invalid zero or one length fields that break TLV encoding (this is for fwknopd, and only applies to the legacy port knocking mode).
  • Added code to fwknopd to check to see if there are any state tracking rules in place within the local iptables or ipfw policy.
  • Made syslog identity, facility, and priority configurable (applied code from the psad project).
  • Implemented --fw-list for ipfw firewalls.
  • Bugfix for knoptm removing ipfw rules too quickly after not timing out previously instantiated rules properly.
  • Implemented smarter cache removal strategy in knoptm so that rules that are manually removed from the running iptables or ipfw policy are also removed from the cache.
  • Added /var/log/fwknop/errs/fwknopd.{warn,die} tracking to the fwknopd daemon for the PCAP modes of collecting packet data. Added knoptm{warn,die} files for knoptm as well.
  • Bugfix to import the GnuPG::Interface module in --get-key mode.
  • Bugfix to send source IP as a part of the command message in command mode so that REQUIRE_SOURCE_ADDRESS controls can be applied.
  • Added --Test-mode to fwknop client so that SPA packets can be built but never sent over the network.

Software Release - gpgdir-1.5

gpgdir-1.5 released The 1.5 release of gpgdir is ready for download. This release adds the ability to use a symmetric cipher to encrypt/decrypt files via the GnuPG::Interface encrypt_symmetrically() function. Here is the ChangeLog:
  • Added the --Symmetric option so that files can be encrypted/decrypted via a symmetric encryption algorithm (GnuPG commonly uses CAST5 for this).
  • Added the --Plain-ascii option so that GnuPG is invoked with the -a option so that encrypted files are ascii armored instead of encrypted in binary form.
  • Bugfix to ensure not to delete zero-size files if a bad password is given (gpgdir now just throws a warning and exits in this case).
  • Minor code enhancements to provide a consistent hash_init() invocation with the same options hash.
  • Updated to exclude .asc files from the encryption/decryption process.

Software Release - psad-2.0.8

psad-2.0.8 release The 2.0.8 release of psad is ready for download. This release includes major new functionality that allow psad to interface with Gnuplot to create graphical representations of iptables log data. Here is the ChangeLog:
  • Added --gnuplot mode so that psad can output data that is suitable for plotting with gnuplot. All output produced in this mode is integer data with the exception of date stamps that are derived from iptables syslog messages.
  • Added the ability to negate match conditions on fields specified with the --CSV-fields argument by prepending the string "not" (which plays more nicely with shells like bash than a character like "!"). For example, to graph all packet data in --gnuplot or --CSV modes that originates from the 11.11.0.0/16 subnet and is not destined for port 80, the following argument does the trick: --CSV-fields "src:11.11.0.0/16 dp:not80"
  • In --gnuplot mode, added the ability to generate the count for a CSV field instead of the field itself. Supported modes are an absolute count (<field>count) , and a unique count (<field>uniqcount). This is useful to plot graphs of source IP vs. the number unique ports for example. Also added the ability to count iptables log fields over various time scales (minutes, hours, and days) with the following switches: <field>countday, <field>counthour, <field>countmin.
  • In --gnuplot mode, added the ability to specify the view coordinates for 3D graph viewing with --gnuplot-view.
  • Added the Storable-2.16 module along with the --use-store-file argument so that in --gnuplot mode the Gnuplot data can be stored on disk and retrieve quickly. This eliminates a large performance bottleneck when Gnuplot configuration directives are tweaked while the same graph is generated multiple times.
  • Added --gnuplot-template so that a template file can be used for all Gnuplot directives (usually psad creates the .gnu file based on the --gnuplot command line arguments).
  • Added --gnuplot-grayscale to generate graphs without the default red color for graph points.
  • Bugfix for regular expressions not being imported correctly from within the --CSV-fields argument.
  • Added --analysis-fields so the iptables log messages that are parsed in -A mode can be restricted to those that meet certain criteria. For example, to restrict the analyze mode to process packets with a source address of 192.168.10.1, use this command: psad -A --analysis-fields "src:192.168.10.1"
  • Added --plot-separator to allow the format of plot data (either in --gnuplot or --CSV modes) to be influenced by the user.
  • Added the ability to configure the syslog facility and priority via the psad.conf file (see the SYSLOG_FACILITY and SYSLOG_PRIORITY variables).
  • Updated psad.spec file to respect the %_initrddir RPM macro.
« Previous