psad 2.4.5

psad is an intrusion detection system built around iptables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For TCP scans psad analyzes TCP flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many TCP, UDP, and ICMP signatures contained within the Snort intrusion detection system (see to detect suspicious network traffic such as probes for common backdoors, DDoS tools, OS fingerprinting attempts, and more.

Tags security intrusion-detection iptables firewalls linux port-scan nmap
License GNU GPL
State initial

Recent Releases

2.4.511 Mar 2017 03:15 minor bugfix: to include top signature matches in 'psad --Status' output. This. Was reported by @joshlinx on github as.
2.4.415 Nov 2016 11:05 minor documentation: Added detection for Mirai botnet default credentials scans. These scans follow a well-defined pattern of 10 connections to TCP port 23 (telnet) followed by a connection to TCP port 2323. Added installation support ( and 'psad.service' file) for systems running systemd. Bug fix to not remove auto-blocked IP's from a running psad instance with 'psad --Status'. Updated to version 5.2.13 of the whois client. Updated to IPTables::ChainMgr 1.6.
2.4.319 Dec 2015 03:15 minor bugfix: in fwcheck_psad related to an uninitialized variable related to. Firewalld deployments.
2.4.211 Sep 2015 15:45 minor bugfix: to apply the EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking. Emails. Updated IPTables::ChainMgr and IPTables::Parse to 1.4 and 1.5. Respectively.
2.4.113 May 2015 19:45 minor feature: Bug fix to honor the IGNORE_PROTOCOLS configuration variable for non-tcp/udp/icmp protocols. This bug was reported by Paul Versloot. - Added two configuration variables ENABLE_WHOIS_LOOKUPS and ENABLE_DNS_LOOKUPS (set to 'Y' by default) to allow whois and reverse DNS lookups to be controlled from the command line. - Bug fix for an uninitialized variable in 'psad -L' mode when auto blocking is enabled. This bug was reported via github by gihub user 'itoffshore'.
2.4.019 Mar 2015 17:21 major feature: Added support for reading syslog messages from journalctl on systems where syslog data is tied into systemd. Added support for the firewalld firewall that is built into systems like Fedora 21. Added support for handling arbitrary time stamp formats that are supported by some syslog daemons.