cipherdyne.org

Michael Rash, Security Researcher



Software Release - psad-2.0, Major Update

psad-2.0 release The 2.0 release of psad is ready for download. This release is a major update of psad, and many new features have been added. Psad now more fully supports the Snort rules language via Netfilter log messages. The Snort keywords ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ipopts, and sameip are now supported. Signature updates are made available on cipherdyne.org, and can be automatically updated by psad by a new command line argument --sig-update. Visualization of Netfilter log messages is now possible by combining the new --CSV options with the AfterGlow project, and to illustrate this graphs of two of the Honeynet Project scan challenges are availble online here and here. Here is an exerpt from the ChangeLog:
  • Completely refactored the Snort rule matching support in psad. Added many header field tests with full range matching support. These tests include the following keywords from Snort: ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ip_proto, ipopts, and sameip.
  • Refactored all signatures in /etc/psad/signatures to conform to new signature matching support in this release. There are now about 190 signatures that psad can run directly against Netfilter logging messages (i.e. without the help of fwsnort).
  • Added the ability to download the latest signatures file from http://www.cipherdyne.org/psad/signatures with the --sig-update command line argument to psad.
  • Added "MISC Windows popup spam" signature. This allows psad to detect when attempts are made to send spam via the Windows Messenger service.
  • Completely reworked --Status and --Analyze output, signature matches are included now, along with a listing of top sig matches, top scanned ports, and top attackers. Also, scan data is not written to /var/log/psad/ipt_analysis/ before display analysis output in -A mode; analysis results are displayed much faster this way.
  • Added ipEye, Subversion, Kuang2, Microsoft SQL, Radmin, and Ghostsurf signatures.
  • Added 'data in TCP SYN packet' signature.
  • Added --CSV mode so that psad can be used to generate comma-separated value output suitable for the AfterGlow project (see http://afterglow.sourceforge.net/index.html) for graphical representations of Netfilter logs and associated scan data. Also added nf2csv so that normal users can take advantage of this feature.
  • Added emulation of the Snort "dsize" test through the use of the IP length field for TCP/ICMP signatures, and the UDP length field for UDP signatures. For SYN packets, TCP options are included so psad automatically adds 44 bytes (the maximum length for TCP options) so the dsize test corresponds to the estimated payload length.
  • Added the psad_id, psad_dsize, and psad_derived_sids fields for the new Snort rule support.
  • Added the ability to decode IP options, which are included within Snort rules as the "ipopts" keyword. This functionality requires that the --log-ip-options command line argument is given to iptables when building a rule that uses the LOG target.
  • Added Snort rules (sids 475, 500, 501, and 502) that detect IP options usage such as source routing and the traceroute IP option with the new IP options decoder.