cipherdyne.org

Michael Rash, Security Researcher



Software Release - psad-2.1.2

Software Release - psad-2.1.2 The 2.1.2 release of psad is ready for download. This is a minor bugfix release to improve support for Linux distributions that report a timestamp in syslog messages just before any iptables log prefix. Here is an example of such syslog messages reported in "psad --Status output (sent to the psad mailing list by Erik Heidt):
[+] iptables log prefix counters:
      "[ 5370.901768] Default_Drop________": 1
      "[ 9411.899552] Default_Drop________": 1
      "[ 7560.529042] Default_Drop________": 1
      "[ 6454.263813] Default_Drop________": 1
      "[ 7038.635371] Default_Drop________": 1
      "[ 5648.026038] Default_Drop________": 1
      "[ 1207.663709] Default_Drop________": 1
      "[  394.423573] Default_Drop________": 1
      "[  186.740237] Default_Drop________": 1
      "[ 9405.138521] Default_Drop________": 1
      "[ 5364.208693] Default_Drop________": 1
      "[ 7297.121141] Default_Drop________": 1
The bug caused the timestamp portion of the syslog messages to be included within the iptables log prefix strings, and because timestamps are nearly unique, this forced even the same iptables log prefix to also be treated as unique.
Here is the complete ChangeLog:
  • Bugfix to not include kernel timestamps in iptables log prefixes that contain spaces like "[ 65.026008] DROP" (bug reported by Erik Heidt).
  • Bugfix to skip non-resolved IP addresses (bug reported by Albert Whale)
  • Better p0f output in --debug mode to display when a passive OS fingerprint cannot be calculated based on iptables log messages that include tcp options (i.e., with --log-tcp-options when building a LOG rule on the iptables command line).