root/psad/tags/psad_1_4_2_r1/ChangeLog

psad-1.4.2 (03//2005):
    - Dependency bugfixes for mail binary.
    - Bugfix for various IGNORE_* keywords not being honored.
    - Bugfix for not timing out blocked IP addresses from a previous run.
    - Updated to version 0.2 of the IPTables::ChainMgr module.
    - Updated to not truncate the fwdata file upon psad startup.
    - Added --fw-dump which produces a sanitized (i.e. no IP addresses)
      version of the local Netfilter policy.  Also added --fw-include-ips
      to (optionally) not sanitize IPs/nets.  Note that the 0.0.0.0 and
      0.0.0.0/0 IPs/nets are not sanitized since they give no useful
      information about specific IPs/nets.
    - Added ulogd data collection mode.
    - Bugfix for FW_MSG_SEARCH default (at least "DROP" is included now
      even if FW_SEARCH_ALL is set to "N").
    - Bugfix for non-network address for subnet specified with --fw-block.
    - Bugfix for multiple --fw-block IPs/nets.
    - Added README.SYSLOG (Francois Marier contributed the content).
    - Made email alert prefixes (such as "[psad-alert]") customizable via
      psad.conf.

psad-1.4.1 (03/12/2005):
    - Updated to Snort-2.3 rules in the snort_rules directory.
    - Re-worked syslog installation portion of install.pl.  The user will
      always be prompted to enter the syslog daemon now, and also added
      the --syslog-conf arg to allow the config file path to be specified
      on the install.pl command line.
    - Bugfix in install.pl for using IP address instead of network address
      of directly connected subnets.
    - Updated to version 4.6.23 of the whois client.
    - Bugfix for distinguishing OPT field associated with --log-tcp-options
      vs. --log-ip-options.
    - Bugfix for syslog format that may not include the "kernel:" tag.
    - Applied patch to only install perl modules that are not already
      installed (Blair Zajac).
    - Bugfix for the psad version number that is sent in DShield alerts.
    - Updated Psad module directory structure to be consistent with current
      versions of perl (5.8.x).
    - Added IPTables::ChainMgr module.
    - Completely re-worked the Netfilter auto-blocking code to use
      IPTables::ChainMgr functions so that auto-generated rules are placed
      in chains created by psad.
    - Added IPT_AUTO_CHAIN keyword in psad.conf which is used to define the
      set of chains to which auto-generated Netfilter rules are added.
    - Added --fw-list-auto to display the contents of psad Netfilter
      chains.
    - Added the ability to import an IP into the Netfilter auto-blocking
      chains from the command line with --fw-block-ip.  This allows psad to
      apply its timeout mechanism against such IPs/nets.
    - Added the ability to ignore packets based on input interface with
      IGNORE_INTERFACES in psad.conf.
    - Re-worked auto_dl code, better hash design and searching function.
    - Removed dependency on sendmail command unless DShield alerting is
      enabled and a DShield user id is specified.
    - Added ALERTING_METHODS keyword in the file alert.conf to allow either
      syslog or email alerts (or both) to be disabled.  Psad and psadwatchd
      reference this file.

psad-1.4.0 (11/26/2004):
    - Added p0f-style passive OS fingerprinting through the use of the OPT
      field in iptables log messages (which is only logged through the use
      of the --log-tcp-options command line arg to iptables).
    - Bugfix for iptables log messages that include tcp sequence numbers
      (see the iptables --log-tcp-sequence command line argument).
    - Bugfix for O_RDONLY open flag when kmsgsd receives a HUP signal.

psad-1.3.4 (10/17/2004):
    - Bugfix for init script directory on Slackware systems.
    - Bugfix for null prefix counters.
    - Added --whois-analysis argument since whois lookups are now disabled
      by default when running in analysis (-A) mode.
    - Updated psad_init() to rework setup() and import orderings vs.
      --fw-analyze and --Benchmark modes.
    - Added bidirectional iptables auto-blocking support for all chains
      except for the INPUT and OUTPUT chains.
    - Better syslog message support when run in auto-blocking mode.
    - Added iptables auto-block rules section to --Status output.
    - Added init script for Fedora systems.
    - Added default_log() function to IPTables::Parse.  This function
      parses user defined chains in an effort to find default logging
      rules.
    - Added EMAIL_LIMIT_STATUS_MSG to control whether or not psad sends a
      status email when the PSAD_EMAIL_LIMIT threshold has been reached by
      an IP address.
    - Added ENABLE_SCAN_ARCHIVE to control whether or not psad archives old
      scan data within /var/log/psad/scan_archive at start time.

psad-1.3.3 (09/09/2004):
    - Fixed __WARN__ and __DIE__ exception handlers so that they
      reference global message variables.
    - Fixed auto danger level assignments.  Network auto assignments as
      well as per-protocol assignments work now.
    - Added SYSLOG_DAEMON variable to define which syslog daemon is running
      on the underlying system instead of just guessing.
    - Added the ability to ignore both ranges and specific ports/protocols
      with a new variable IGNORE_PORTS in psad.conf.
    - Bugfix to make sure email addresses are separated by spaces when
      Psad::sendmail() is called.
    - Bugfix for ipt_prefix counters not being parsed correct at import
      time.
    - Removed exclude_auto_ignore_ip() since this function was made
      unnecessary by newly rewritten auto-assign code.
    - Bugfix for Text::Wrap calls in install.pl uninstall() routine.
    - Bugfix for using --no-fw-search-all even when FW_SEARCH_ALL is
      set to "Y".
    - Removed extraneous ".." and "**" chars from syslog messages, and
      updated to use [+] prefix strings.
    - Moved init scripts into init-scripts directory within source tree.
    - Removed dependency on Bit::Vector (psad does not seem to make use
      of any Date::Calc functions that require it).
    - Wrapped copy() and move() calls with "or die()" to make them
      safer in install.pl.
    - Added check for existing psad process in install.pl.
    - Updated to a new psad email alert subject format.  Prefixes of
      "[psad-alert]", "[psad-error]", and "[psad-status]" are used now.
    - Permissions fixes with umask() setting in /var/log/psad, permissions
      fixes for files in /etc/psad at install time.

psad-1.3.2 (06/25/2004):
    - Removed FW_MSG_SEARCH from psad.conf, and created a new config
      file "fw_search.conf" that both psad and kmsgsd use to get the
      FW_MSG_SEARCH definition(s).
    - Added default mode of parsing all iptables messages instead of
      just those that contain specific search strings.  A new config
      variable "FW_SEARCH_ALL" was added to fw_search.conf that
      controls this mode.
    - Updated psad and kmsgsd so that multiple firewall search strings
      can be specified through multiple FW_MSG_SEARCH variables in
      fw_search.conf.
    - Added iptables chain and logging-prefix tracking for current
      scan interval in email alerts.
    - Added protocol-specific auto-danger level assignments.
    - Added total scan source and destination IP address counters in
      --Status output.
    - Added number of email alerts sent and OS guess in default
      --Status output.  The output is getting wide now, so there is
      also a new option --status-brief that will remove the alerts
      sent and OS guess columns.
    - Added getopt() command line arg parsing to kmsgsd with two new
      options "-c" (for config file path) and "-k" (for fw_search.conf
      path).
    - Made iptables parsing code into its own script "fwcheck_psad"
      that gets called by psad.
    - Added Dshield stats summary to --Status output.
    - Bugfix for auto-ignore IP addresses and networks being missed.
    - Made parsing of ifconfig output language independent (should
      handle French now for example).
    - Removed "psad_" prefix on files psad_signatures, psad_auto_ips,
      psad_posf, and psad_icmp_types in /etc/psad/.
    - Updated to version 4.6.14 of the whois client.

psad-1.3.1 (12/25/2003):
    - Added the ability to import /var/log/psad/<ip> directories
      back into memory so scan data remains persistent across
      psad restarts or system reboots.
    - Added --Analyze-msgs to run psad in analysis mode against an
      iptables logfile (/var/log/psad/fwdata by default).  The logfile
      path can be changed with --messages-file.
    - Added icmp type and code validation against RFC 792.
    - Bugfix for being too strict with FW_MSG_SEARCH.
    - Added port ranges for tcp and udp scans in <ip>/<dst>_packet_ctr.
    - Added <ip>/<dst>_start_time and <ip>/os_guess.
    - Bugfix for missing --no-signatures code.
    - Updated to Snort-2.1 signatures.

psad-1.3 (11/30/2003):
    - Replaced all signatures in psad_signatures with updated snort
      rules.
    - Added support for source and destination ip addresses in
      signature matching code.  A new variable "HOME_NET" makes this
      possible.
    - Added support for the iptables output chain.
    - Added chain tracking for all signatures.
    - Replaced match_fastsigs() with two new routines for tcp and
      udp signature matching that don't autovivify hash keys.
    - Removed support for ipchains.
    - Added support for metalog.
    - Removed all "Undefined Code" signatures from psad_signatures.
    - Re-worked %auto_blocked_ips hash and corresponding blocking
      routines.  This (hopefully) fixes a restart bug seen on older
      systems such as those that are still running versions of perl
      less than 5.6.
    - Re-worked firewall policy parsing routines.  Chains that have
      a default policy of DROP are handled properly now.
    - Bugfix for missing NULL char in kmsgsd.c.
    - Updated scan alerting format.  Put current interval protocol
      status before source and destination addresses.
    - Buffer overflow fix in kmsgsd.c for size of buf[MAX_LINE_BUF]
      buffer in read() call.
    - Added --no-kmsgsd option to aid in psad --debug mode.

psad-1.2.4 (10/15/2003):
    - Added danger level to subject line in email alerts.
    - Removed diskmond altogether since psad now handles disk space
      thresholds directly.  This allows filehandles to be handled
      properly.
    - Added auto_block_ignore_ip() to prevent 0.0.0.0, 127.0.0.1,
      and local interface ips from being included in auto blocking
      routines.
    - Added Bit::Vector module to stop installation warnings from
      Date::Calc.
    - Made get_local_ips() called periodically since local addresses
      may change (dhcp, etc.).
    - Added installation code and init script for Gentoo Linux.
    - Bugfix for INIT_DIR in uninstall() routine in install.pl.
    - Bugfix for auto-blocking loop after timeouts are hit.
    - Added --status-dl [N] to display status information only for
      those scans that reach at least [N].

psad-1.2.3 (09/12/2003):
    - Added interface tracking for scans.
    - Bugfix for not opening /etc/hosts.deny the right way in
      tcpwr_block().
    - Bugfix for psadfifo path in syslog-ng config.
    - Better format for summary stats section in email alerts.
    - Bugfix for INIT_DIR path on non-RedHat systems.
    - Bugfix for gzip path.
    - Make Psad.pm installed last of all perl modules installed
      by psad.
    - Added additional call to incr_syscall_ctr() in psadwatchd.c

psad-1.2.2 (08/24/2003):
    - psad is finally available as an RPM package.
    - Added chain tracking for iptables.
    - Added chain counts to --Status output.
    - Bugfix for psad not taking into account multiple scan
      destinations.
    - Reworked auto-blocking code for both tcpwrappers and
      iptables.  Lines added to /etc/hosts.deny will no longer be
      duplicated.  Added IPTABLES_AUTO_RULENUM and
      IPCHAINS_AUTO_RULENUM so auto rules can be inserted at a
      configurable point within iptables and ipchains policies.
    - Psad now installs all perl modules within /usr/lib/psad.
    - Removed /var/log/psad/<ip>/scanlog file since it was wasting
      too much disk.
    - Made psad, psadwatchd, and diskmond take the machine hostname
      from their respective config files.  This makes installation
      via the rpm easier, and is generally cleaner.
    - Added scan destination in --Status output.
    - Added --status-sort-dl (the default status output is now
      sorted by ip address by default).

psad-1.2.1 (07/11/2003):
    - Bugfix for multiple processes being spawned by psadwatchd
      due to lack of proper config variables in the new split
      daemon config files.
    - Bugfix for old scan messages being regenerated if a HUP
      signal is received.
    - Bugfix for incorrectly calculating disk utilization in
      diskmond.c.
    - Extended install.pl to include compression for archived
      files in /etc/psad.
    - Added preserve questions in install.pl for the psad
      signature and auto ips files.
    - Bugfix for --USR1 command line switch not mapping to the
      correct subroutine.
    - Bugfix for psad man page missing the pipe character in
      psadfifo line for syslog.conf.

psad-1.2 (06/18/2003):
    - Added passive OS fingerprinting based on packet ttl, length,
      tos, and id fields.
    - Added dshield.org alerting capability.
    - Added exec_external_script() for external script execution.
    - Added auto blocked timeouts.
    - Implemented config re-imports via HUP signals in a manner
      similar to various other system daemons (sysylog, apache
      etc.)
    - Better --Status output that shows packet counts per protocol
      for each ip.
    - Added --ip-status for more verbose status output for a
      particular ip address.
    - Added config preservation code to install.pl.
    - Added Psad::psyslog().
    - Split psad.conf into a separate config file for each of the
      four psad daemons.
    - Completely re-worked the auto blocking code (made dedicated
      files for iptables and ipchains block methods).
    - Added danger level hash.
    - Minor code cleanups (shorter hash keys, etc.).

psad-1.1.1 (04/26/2003):
    - Bugfix for incorrect usage of %scan hash keys associated
      with tcp/udp when the current protocol is icmp.
    - Bugfix for being too strict on iptable default log string.
    - Reworked USR1 signal handler so the Data::Dumper function
      call is made in the main part of the psad code.
    - Added a startup message for psad.
    - Minor bugfix for leading whitespace in auto_ips.

psad-1.1 (04/20/2003):
    - Added the IPTables::Parse module for better processing of
      the iptables ruleset.
    - Added --snort-sids so that iptables messages generated by
      fwsnort can be included in alerts.  Such alerts now include
      the content fields of packets (fwsnort uses the iptables
      string match module).
    - Added the ability to specify entire networks in the auto
      ips file through the use of the Net::IPv4Addr module.
    - Better logging format that reinstates the current interval,
      and adds an "overall stats" section that includes packet
      counters per protocol.
    - Removed the PROTO hash key since it was unnecesssary.
    - Better benchmarking code.
    - Bug fix for incorrectly looking for the "MAC" string in
      iptables messages that could have been generated by the
      FORWARD chain.

psad-1.0 (02/27/2003):
    - Added --Benchmark and --packets command line options to support
      psad benchmarking.
    - Bugfix for improperly detecting NULL scans.
    - Completely redesigned website.

psad-1.0.0-pre4 (11/26/2002):
    - Rewrote kmsgsd and psadwatchd in C.