psad-2.0.4 released

Hi all -

psad-2.0.4 has been released. Here is the complete change log:

- Added Snort rule matches to syslog alerts. Multiple matches can
be controlled with new configuration variables in psad.conf:
- Bugfix to include scanned UDP port ranges in syslog alerts.
- Bugfix to parse SEQ and ACK iptables log message fields (requires
--log-tcp-sequence on the iptables command line). This allows the
ipEye signature to work.
- Added --debug-sid to allow a specific Snort rule to be debugged
while psad runs it through its detection engine. A consequence of
this is that the -d command line argument must be spelled out, i.e.
"psad --debug".
- Bugfix to allow logging prefixes to omit trailing spaces. This is
a bug in the iptables logging format to allow this in the first place,
but before this gets fixed psad needs to compensate.
- Bugfix for syslog-ng init script path in
- Bugfix to include a "source" definition for /proc/kmsg if not already
defined for syslog-ng daemons.
- Minor memory handling bugfixes discovered by the excellent Valgrind

Another interesting bit of news is that Tenable Network Security has
added support for importing psad syslog events into their products:

As usual, psad can be downloaded from:

Also, I've updated to include blog style links (RSS and
Atom feeds are available too), so the complete psad-2.0.4 release
posting can be found here (includes few sample syslog signature matches
reported by psad):

Michael Rash
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.