root/psad/tags/psad-1.4.6/ChangeLog

psad-1.4.6 (06/13/2006):
    - Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on
      logging prefixes.
    - Added code to save DShield email to a file.
    - Added IPTABLES_PREREQ_CHECK to allow the administrator to control the
      frequency of Netfilter checks (for auto-block compatibility).
    - Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely
      ignored by psad.
    - Added classification.config file from Snort-2.3.3 so that psad can
      assign danger levels based upon Snort rule class type.  This is useful
      when also running fwsnort.
    - Added snort_rule_dl to allow specific psad to assign specific danger
      level values to particular signatures.  This is useful if you want to
      do define certain Snort rules as being particularly evil (or not).
      Running fwsnort is also necessary to take advantage of this feature.
    - Added reference.config so that psad can include reference information in
      email alerts that are derived from attacks detected by fwsnort.
    - Updated to Snort-2.3.3 signatures.
    - Updated to whois-4.7.13.

psad-1.4.5 (01/13/2006):
    - Bugfix in IPTables::Parse to allow the limit target to apply to
      logging rules.
    - Made calls to chain creation and jump rule functions for only every
      100 block calls in auto-IDS mode.
    - Bugfix to make sure /var/run/psad directory exists at startup since
      this directory is removed by some Linux distributions at boot time.
    - Bugfix for zero masks in auto_dl; this allows a network of "0.0.0.0/0"
      to be specified.
    - Added ENABLE_FW_LOGGING_CHECK so that the Netfilter policy check can be
      enabled/disabled easily via psad.conf.
    - Enhanced -D output to include "uname -a" and "perl -V" output.
    - Added ENABLE_RENEW_BLOCK_EMAILS to allow whether renew emails are sent
      for auto-blocked addresses.

psad-1.4.4 (11/27/2005):
    - Added MAC address reporting in psad email alerts.  This feature is
      enabled via a new config keyword "ENABLE_MAC_ADDR_REPORTING".
    - Added --fw-rm-block-ip <ip> option to allow IP addresses to be removed
      from the auto-blocking chains from the command line.
    - Updated command line firewall arguments to write commands to the
      AUTO_IPT_SOCK domain socket.
    - Added the ability to specify ports and port ranges to auto_dl file.
    - Added --force-mod-install command line argument to installer to force
      perl modules used by psad to be installed within /usr/lib/psad
      regardless of whether they already exist in the system perl tree.
    - Bugfix in the installer to seek() to the end of the fwdata file
    - Bugfix for psad repeatedly trying to remove the same IP address(es)
      from the auto-blocking chains.
      instead of reading the entire thing into memory.
    - Added the ability to truncate the fwdata file via a new configuration
      keyword "TRUNCATE_FWDATA" (this is enabled by default).
    - Bugfix in auto-blocking mode for deleting AUTO_IPT_SOCK when a HUP
      signal is received.
    - Bugfix for parsing Netfilter policies that contain ULOG logging rules
      instead of the standard LOG target.
    - Removed the smtpdaemon requirement in the RPM because psad might be
      configured to not send email alerts.

psad-1.4.3 (09/27/2005):
    - Bugfixes for auto-blocking code.  Timeouts should be handled
      properly, including cached IP addresses in the auto_blocked_iptables
      file that are referenced upon psad startup.  Communication with the
      running psad is performed over a Unix domain socket in --fw-block
      mode.
    - Bugfix to seek to the end of the fwdata file instead of reading the
      entire thing into memory and then looking for newly written logging
      messages.  This drastically reduces the amount of memory required
      by psad.
    - Updated to only display psad chains if --verbose is set
    - Updated to automatically flush the psad auto-response Netfilter chains
      at start time (subject to a new config keyword "FLUSH_IPT_AT_INIT").

psad-1.4.2 (07/15/2005):
    - Dependency bugfixes for mail binary.
    - Bugfix for various IGNORE_* keywords not being honored.
    - Bugfix for not timing out blocked IP addresses from a previous run.
    - Updated to version 0.2 of the IPTables::ChainMgr module.
    - Updated to not truncate the fwdata file upon psad startup.
    - Added --fw-dump which produces a sanitized (i.e. no IP addresses)
      version of the local Netfilter policy.  Also added --fw-include-ips
      to (optionally) not sanitize IPs/nets.  Note that the 0.0.0.0 and
      0.0.0.0/0 IPs/nets are not sanitized since they give no useful
      information about specific IPs/nets.
    - Added ulogd data collection mode.
    - Bugfix for FW_MSG_SEARCH default (at least "DROP" is included now
      even if FW_SEARCH_ALL is set to "N").
    - Bugfix for non-network address for subnet specified with --fw-block.
    - Bugfix for multiple --fw-block IPs/nets.
    - Added README.SYSLOG (Francois Marier contributed the content).
    - Made email alert prefixes (such as "[psad-alert]") customizable via
      psad.conf.

psad-1.4.1 (03/12/2005):
    - Updated to Snort-2.3 rules in the snort_rules directory.
    - Re-worked syslog installation portion of install.pl.  The user will
      always be prompted to enter the syslog daemon now, and also added
      the --syslog-conf arg to allow the config file path to be specified
      on the install.pl command line.
    - Bugfix in install.pl for using IP address instead of network address
      of directly connected subnets.
    - Updated to version 4.6.23 of the whois client.
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Bugfix for syslog format that may not include the "kernel:" tag.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Bugfix for the psad version number that is sent in DShield alerts.
    - Updated Psad module directory structure to be consistent with current
      versions of perl (5.8.x).
    - Added IPTables::ChainMgr module.
    - Completely re-worked the Netfilter auto-blocking code to use
      IPTables::ChainMgr functions so that auto-generated rules are placed
      in chains created by psad.
    - Added IPT_AUTO_CHAIN keyword in psad.conf which is used to define the
      set of chains to which auto-generated Netfilter rules are added.
    - Added --fw-list-auto to display the contents of psad Netfilter
      chains.
    - Added the ability to import an IP into the Netfilter auto-blocking
      chains from the command line with --fw-block-ip.  This allows psad to
      apply its timeout mechanism against such IPs/nets.
    - Added the ability to ignore packets based on input interface with
      IGNORE_INTERFACES in psad.conf.
    - Re-worked auto_dl code, better hash design and searching function.
    - Removed dependency on sendmail command unless DShield alerting is
      enabled and a DShield user id is specified.
    - Added ALERTING_METHODS keyword in the file alert.conf to allow either
      syslog or email alerts (or both) to be disabled.  Psad and psadwatchd
      reference this file.

psad-1.4.0 (11/26/2004):
    - Added p0f-style passive OS fingerprinting through the use of the OPT
      field in iptables log messages (which is only logged through the use
      of the --log-tcp-options command line arg to iptables).
    - Bugfix for iptables log messages that include tcp sequence numbers
      (see the iptables --log-tcp-sequence command line argument).
    - Bugfix for O_RDONLY open flag when kmsgsd receives a HUP signal.

psad-1.3.4 (10/17/2004):
    - Bugfix for init script directory on Slackware systems.
    - Bugfix for null prefix counters.
    - Added --whois-analysis argument since whois lookups are now disabled
      by default when running in analysis (-A) mode.
    - Updated psad_init() to rework setup() and import orderings vs.
      --fw-analyze and --Benchmark modes.
    - Added bidirectional iptables auto-blocking support for all chains
      except for the INPUT and OUTPUT chains.
    - Better syslog message support when run in auto-blocking mode.
    - Added iptables auto-block rules section to --Status output.
    - Added init script for Fedora systems.
    - Added default_log() function to IPTables::Parse.  This function
      parses user defined chains in an effort to find default logging
      rules.
    - Added EMAIL_LIMIT_STATUS_MSG to control whether or not psad sends a
      status email when the PSAD_EMAIL_LIMIT threshold has been reached by
      an IP address.
    - Added ENABLE_SCAN_ARCHIVE to control whether or not psad archives old
      scan data within /var/log/psad/scan_archive at start time.

psad-1.3.3 (09/09/2004):
    - Fixed __WARN__ and __DIE__ exception handlers so that they
      reference global message variables.
    - Fixed auto danger level assignments.  Network auto assignments as
      well as per-protocol assignments work now.
    - Added SYSLOG_DAEMON variable to define which syslog daemon is running
      on the underlying system instead of just guessing.
    - Added the ability to ignore both ranges and specific ports/protocols
      with a new variable IGNORE_PORTS in psad.conf.
    - Bugfix to make sure email addresses are separated by spaces when
      Psad::sendmail() is called.
    - Bugfix for ipt_prefix counters not being parsed correct at import
      time.
    - Removed exclude_auto_ignore_ip() since this function was made
      unnecessary by newly rewritten auto-assign code.
    - Bugfix for Text::Wrap calls in install.pl uninstall() routine.
    - Bugfix for using --no-fw-search-all even when FW_SEARCH_ALL is
      set to "Y".
    - Removed extraneous ".." and "**" chars from syslog messages, and
      updated to use [+] prefix strings.
    - Moved init scripts into init-scripts directory within source tree.
    - Removed dependency on Bit::Vector (psad does not seem to make use
      of any Date::Calc functions that require it).
    - Wrapped copy() and move() calls with "or die()" to make them
      safer in install.pl.
    - Added check for existing psad process in install.pl.
    - Updated to a new psad email alert subject format.  Prefixes of
      "[psad-alert]", "[psad-error]", and "[psad-status]" are used now.
    - Permissions fixes with umask() setting in /var/log/psad, permissions
      fixes for files in /etc/psad at install time.

psad-1.3.2 (06/25/2004):
    - Removed FW_MSG_SEARCH from psad.conf, and created a new config
      file "fw_search.conf" that both psad and kmsgsd use to get the
      FW_MSG_SEARCH definition(s).
    - Added default mode of parsing all iptables messages instead of
      just those that contain specific search strings.  A new config
      variable "FW_SEARCH_ALL" was added to fw_search.conf that
      controls this mode.
    - Updated psad and kmsgsd so that multiple firewall search strings
      can be specified through multiple FW_MSG_SEARCH variables in
      fw_search.conf.
    - Added iptables chain and logging-prefix tracking for current
      scan interval in email alerts.
    - Added protocol-specific auto-danger level assignments.
    - Added total scan source and destination IP address counters in
      --Status output.
    - Added number of email alerts sent and OS guess in default
      --Status output.  The output is getting wide now, so there is
      also a new option --status-brief that will remove the alerts
      sent and OS guess columns.
    - Added getopt() command line arg parsing to kmsgsd with two new
      options "-c" (for config file path) and "-k" (for fw_search.conf
      path).
    - Made iptables parsing code into its own script "fwcheck_psad"
      that gets called by psad.
    - Added Dshield stats summary to --Status output.
    - Bugfix for auto-ignore IP addresses and networks being missed.
    - Made parsing of ifconfig output language independent (should
      handle French now for example).
    - Removed "psad_" prefix on files psad_signatures, psad_auto_ips,
      psad_posf, and psad_icmp_types in /etc/psad/.
    - Updated to version 4.6.14 of the whois client.

psad-1.3.1 (12/25/2003):
    - Added the ability to import /var/log/psad/<ip> directories
      back into memory so scan data remains persistent across
      psad restarts or system reboots.
    - Added --Analyze-msgs to run psad in analysis mode against an
      iptables logfile (/var/log/psad/fwdata by default).  The logfile
      path can be changed with --messages-file.
    - Added icmp type and code validation against RFC 792.
    - Bugfix for being too strict with FW_MSG_SEARCH.
    - Added port ranges for tcp and udp scans in <ip>/<dst>_packet_ctr.
    - Added <ip>/<dst>_start_time and <ip>/os_guess.
    - Bugfix for missing --no-signatures code.
    - Updated to Snort-2.1 signatures.

psad-1.3 (11/30/2003):
    - Replaced all signatures in psad_signatures with updated snort
      rules.
    - Added support for source and destination ip addresses in
      signature matching code.  A new variable "HOME_NET" makes this
      possible.
    - Added support for the iptables output chain.
    - Added chain tracking for all signatures.
    - Replaced match_fastsigs() with two new routines for tcp and
      udp signature matching that don't autovivify hash keys.
    - Removed support for ipchains.
    - Added support for metalog.
    - Removed all "Undefined Code" signatures from psad_signatures.
    - Re-worked %auto_blocked_ips hash and corresponding blocking
      routines.  This (hopefully) fixes a restart bug seen on older
      systems such as those that are still running versions of perl
      less than 5.6.
    - Re-worked firewall policy parsing routines.  Chains that have
      a default policy of DROP are handled properly now.
    - Bugfix for missing NULL char in kmsgsd.c.
    - Updated scan alerting format.  Put current interval protocol
      status before source and destination addresses.
    - Buffer overflow fix in kmsgsd.c for size of buf[MAX_LINE_BUF]
      buffer in read() call.
    - Added --no-kmsgsd option to aid in psad --debug mode.

psad-1.2.4 (10/15/2003):
    - Added danger level to subject line in email alerts.
    - Removed diskmond altogether since psad now handles disk space
      thresholds directly.  This allows filehandles to be handled
      properly.
    - Added auto_block_ignore_ip() to prevent 0.0.0.0, 127.0.0.1,
      and local interface ips from being included in auto blocking
      routines.
    - Added Bit::Vector module to stop installation warnings from
      Date::Calc.
    - Made get_local_ips() called periodically since local addresses
      may change (dhcp, etc.).
    - Added installation code and init script for Gentoo Linux.
    - Bugfix for INIT_DIR in uninstall() routine in install.pl.
    - Bugfix for auto-blocking loop after timeouts are hit.
    - Added --status-dl [N] to display status information only for
      those scans that reach at least [N].

psad-1.2.3 (09/12/2003):
    - Added interface tracking for scans.
    - Bugfix for not opening /etc/hosts.deny the right way in
      tcpwr_block().
    - Bugfix for psadfifo path in syslog-ng config.
    - Better format for summary stats section in email alerts.
    - Bugfix for INIT_DIR path on non-RedHat systems.
    - Bugfix for gzip path.
    - Make Psad.pm installed last of all perl modules installed
      by psad.
    - Added additional call to incr_syscall_ctr() in psadwatchd.c

psad-1.2.2 (08/24/2003):
    - psad is finally available as an RPM package.
    - Added chain tracking for iptables.
    - Added chain counts to --Status output.
    - Bugfix for psad not taking into account multiple scan
      destinations.
    - Reworked auto-blocking code for both tcpwrappers and
      iptables.  Lines added to /etc/hosts.deny will no longer be
      duplicated.  Added IPTABLES_AUTO_RULENUM and
      IPCHAINS_AUTO_RULENUM so auto rules can be inserted at a
      configurable point within iptables and ipchains policies.
    - Psad now installs all perl modules within /usr/lib/psad.
    - Removed /var/log/psad/<ip>/scanlog file since it was wasting
      too much disk.
    - Made psad, psadwatchd, and diskmond take the machine hostname
      from their respective config files.  This makes installation
      via the rpm easier, and is generally cleaner.
    - Added scan destination in --Status output.
    - Added --status-sort-dl (the default status output is now
      sorted by ip address by default).

psad-1.2.1 (07/11/2003):
    - Bugfix for multiple processes being spawned by psadwatchd
      due to lack of proper config variables in the new split
      daemon config files.
    - Bugfix for old scan messages being regenerated if a HUP
      signal is received.
    - Bugfix for incorrectly calculating disk utilization in
      diskmond.c.
    - Extended install.pl to include compression for archived
      files in /etc/psad.
    - Added preserve questions in install.pl for the psad
      signature and auto ips files.
    - Bugfix for --USR1 command line switch not mapping to the
      correct subroutine.
    - Bugfix for psad man page missing the pipe character in
      psadfifo line for syslog.conf.

psad-1.2 (06/18/2003):
    - Added passive OS fingerprinting based on packet ttl, length,
      tos, and id fields.
    - Added dshield.org alerting capability.
    - Added exec_external_script() for external script execution.
    - Added auto blocked timeouts.
    - Implemented config re-imports via HUP signals in a manner
      similar to various other system daemons (sysylog, apache
      etc.)
    - Better --Status output that shows packet counts per protocol
      for each ip.
    - Added --ip-status for more verbose status output for a
      particular ip address.
    - Added config preservation code to install.pl.
    - Added Psad::psyslog().
    - Split psad.conf into a separate config file for each of the
      four psad daemons.
    - Completely re-worked the auto blocking code (made dedicated
      files for iptables and ipchains block methods).
    - Added danger level hash.
    - Minor code cleanups (shorter hash keys, etc.).

psad-1.1.1 (04/26/2003):
    - Bugfix for incorrect usage of %scan hash keys associated
      with tcp/udp when the current protocol is icmp.
    - Bugfix for being too strict on iptable default log string.
    - Reworked USR1 signal handler so the Data::Dumper function
      call is made in the main part of the psad code.
    - Added a startup message for psad.
    - Minor bugfix for leading whitespace in auto_ips.

psad-1.1 (04/20/2003):
    - Added the IPTables::Parse module for better processing of
      the iptables ruleset.
    - Added --snort-sids so that iptables messages generated by
      fwsnort can be included in alerts.  Such alerts now include
      the content fields of packets (fwsnort uses the iptables
      string match module).
    - Added the ability to specify entire networks in the auto
      ips file through the use of the Net::IPv4Addr module.
    - Better logging format that reinstates the current interval,
      and adds an "overall stats" section that includes packet
      counters per protocol.
    - Removed the PROTO hash key since it was unnecesssary.
    - Better benchmarking code.
    - Bug fix for incorrectly looking for the "MAC" string in
      iptables messages that could have been generated by the
      FORWARD chain.

psad-1.0 (02/27/2003):
    - Added --Benchmark and --packets command line options to support
      psad benchmarking.
    - Bugfix for improperly detecting NULL scans.
    - Completely redesigned website.

psad-1.0.0-pre4 (11/26/2002):
    - Rewrote kmsgsd and psadwatchd in C.