Software Release - psad-2.1.2
03 April, 2008
The 2.1.2 release of psad is ready for
download. This is a minor
bugfix release to improve support for Linux distributions that report a timestamp
in syslog messages just before any iptables log prefix. Here is an example of
such syslog messages reported in "psad --Status output (sent to the
psad mailing list by Erik Heidt):
[+] iptables log prefix counters:
"[ 5370.901768] Default_Drop________": 1
"[ 9411.899552] Default_Drop________": 1
"[ 7560.529042] Default_Drop________": 1
"[ 6454.263813] Default_Drop________": 1
"[ 7038.635371] Default_Drop________": 1
"[ 5648.026038] Default_Drop________": 1
"[ 1207.663709] Default_Drop________": 1
"[ 394.423573] Default_Drop________": 1
"[ 186.740237] Default_Drop________": 1
"[ 9405.138521] Default_Drop________": 1
"[ 5364.208693] Default_Drop________": 1
"[ 7297.121141] Default_Drop________": 1
The bug caused the timestamp portion of the syslog messages to be included within
the iptables log prefix strings, and because timestamps are nearly unique, this
forced even the same iptables log prefix to also be treated as unique.
Here is the complete ChangeLog:
- Bugfix to not include kernel timestamps in iptables log prefixes that contain spaces like "[ 65.026008] DROP" (bug reported by Erik Heidt).
- Bugfix to skip non-resolved IP addresses (bug reported by Albert Whale)
- Better p0f output in --debug mode to display when a passive OS fingerprint cannot be calculated based on iptables log messages that include tcp options (i.e., with --log-tcp-options when building a LOG rule on the iptables command line).
