psad-2.0.4 released



Hi all -

psad-2.0.4 has been released. Here is the complete change log:

- Added Snort rule matches to syslog alerts. Multiple matches can
be controlled with new configuration variables in psad.conf:
ENABLE_SIG_MSG_SYSLOG, SIG_MSG_SYSLOG_THRESHOLD, and
SIG_SID_SYSLOG_THRESHOLD.
- Bugfix to include scanned UDP port ranges in syslog alerts.
- Bugfix to parse SEQ and ACK iptables log message fields (requires
--log-tcp-sequence on the iptables command line). This allows the
ipEye signature to work.
- Added --debug-sid to allow a specific Snort rule to be debugged
while psad runs it through its detection engine. A consequence of
this is that the -d command line argument must be spelled out, i.e.
"psad --debug".
- Bugfix to allow logging prefixes to omit trailing spaces. This is
a bug in the iptables logging format to allow this in the first place,
but before this gets fixed psad needs to compensate.
- Bugfix for syslog-ng init script path in install.pl.
- Bugfix to include a "source" definition for /proc/kmsg if not already
defined for syslog-ng daemons.
- Minor memory handling bugfixes discovered by the excellent Valgrind
project: http://www.valgrind.org

Another interesting bit of news is that Tenable Network Security has
added support for importing psad syslog events into their products:

http://blog.tenablesecurity.com/2007/01/psad_rules_for_.html
http://www.cipherdyne.org/blog/2007/01/tenable-network-security-and-log-parser-for-psad-events.html

As usual, psad can be downloaded from:

http://www.cipherdyne.org/psad/download/

Also, I've updated cipherdyne.org to include blog style links (RSS and
Atom feeds are available too), so the complete psad-2.0.4 release
posting can be found here (includes few sample syslog signature matches
reported by psad):

http://www.cipherdyne.org/blog/2007/01/software-release-psad-2.0.4.html

--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------