psad-2.0.2 (12//2006): - Added the ability to download the latest signatures from cipherdyne.org in install.pl. - Added the cd_rpmbuilder script to make it easy to build RPM's out of CipherDyne projects by automatically downloading the project .tar.gz and .spec files from http://www.cipherdyne.org/. - Added print statements for @INC array in debug mode so that the user can see the additional /usr/lib/psad/* directories added by import_psad_perl_modules(). - Changed Unix::Syslog import strategy from "use" to "require" since the path is not known until import_psad_perl_modules() gets a chance to run (psad ran fine without this, but it is more consistent this way). - Bugfix for not properly including elements of the @connected_subnets_cidr array. - IP subnet bugfix to make sure to get the entire subnet in signature import routine if it is not in CIDR format - Bugfix to not print an IP addresses in the "top attackers" section that do not have at least one packet or signature match (for any reason). - Bugfix to not print more than TOP_IP_LOG_THRESHOLD IP addresses in thet top attackers section. - Updated install.pl to reference configuration paths directly from psad.conf instead of defining them separately. This should fix Debian bug #403566. - Added -c argument to install.pl so that the path to a psad.conf file can be altered from the command line. - Bugfix to not import any IP from the top_attackers file from a previous psad run that does not have a /var/log/psad/ directory. - Added MIN_DANGER_LEVEL to allow all alerts and /var/log/psad/ tracking to be disabled unless an attacker reaches at least this danger level. - Added text in install.pl to mention ifconfig parsing for HOME_NET derivation. psad-2.0.1 (12/12/2006): - Added Nachi worm reconnaisannce icmp signature - Added the psad_ip_len signature keyword to allow the length field in the IP header to be explicitly tested. - Bugfix for inappropriately removing some directories in @INC when splicing in psad perl module paths. - Switched nf2csv installation path in install.pl to /usr/bin/. psad-2.0 (12/10/2006): - Completely refactored the Snort rule matching support in psad. Added many header field tests with full range matching support. These tests include the following keywords from Snort: ttl, id, seq, ack, window, icmp_id, icmp_seq, itype, icode, ip_proto, ipopts, and sameip. - Refactored all signatures in /etc/psad/signatures to conform to new signature matching support in this release. There are now about 190 signatures that psad can run directly against Netfilter logging messages (i.e. without the help of fwsnort). - Added the ability to download the latest signatures file from http://www.cipherdyne.org/psad/signatures with the --sig-update command line argument to psad. - Added "MISC Windows popup spam" signature. This allows psad to detect when attempts are made to send spam via the Windows Messenger service. - Completely reworked --Status and --Analyze output, signature matches are included now, along with a listing of top sig matches, top scanned ports, and top attackers. Also, scan data is not written to /var/log/psad/ipt_analysis/ before display analysis output in -A mode; analysis results are displayed much faster this way. - Added ipEye, Subversion, Kuang2, Microsoft SQL, Radmin, and Ghostsurf signatures. - Added 'data in TCP SYN packet' signature. - Added --CSV mode so that psad can be used to generate comma-separated value output suitable for the AfterGlow project (see http://afterglow.sourceforge.net/index.html) for graphical representations of Netfilter logs and associated scan data. Also added nf2csv so that normal users can take advantage of this feature. - Added emulation of the Snort "dsize" test through the use of the IP length field for TCP/ICMP signatures, and the UDP length field for UDP signatures. For SYN packets, TCP options are included so psad automatically adds 44 bytes (the maximum length for TCP options) so the dsize test corresponds to the estimated payload length. - Added the psad_id, psad_dsize, and psad_derived_sids fields for the new Snort rule support. - Added the ability to decode IP options, which are included within Snort rules as the "ipopts" keyword. This functionality requires that the --log-ip-options command line argument is given to iptables when building a rule that uses the LOG target. - Added Snort rules (sids 475, 500, 501, and 502) that detect IP options usage such as source routing and the traceroute IP option with the new IP options decoder. - Enhanced psad email alert output to include sid values that have been derived from existing Snort rules. - Added the ability to expand embedded variables within the psad configuration files. For example, the path to the FW_DATA_FILE is defined in psad.conf as "$PSAD_DIR/fwdata", which resolves to /var/log/psad/fwdata when the PSAD_DIR variable is expanded. This feature allows a consistent set of file paths to easily be defined instead of using the full path for each file path. - Better validation of IPT_AUTO_CHAIN{n} variables so that the from_chain cannot be identical to the to_chain. - Added dump_config() to psadwatchd.c and kmsgsd.c when compiled with debugging support. - Added ENABLE_INTF_LOCAL_NETS to have psad automatically treat all IP addresses that are part of the local system as belonging to the HOME_NET for signature matching. - Added ENABLE_SNORT_SIG_STRICT to have psad exit if there are any problems found with Snort rules in the /etc/psad/signatures file. If this feature is disabled (this is the default), then psad generates syslog warnings for improperly formatted signatures). - Update to print the number of IP addresses at each danger level in -A analysis mode. This is useful to get a sense for how long the disk IO might take to write out all of the /var/log/psad/ipt_analysis/ directories. - Added code to restart kmsgsd at psad start up if a previous kmsgsd process is still running and TRUNCATE_FWDATA is set to 'Y' (this is the default). This probably isn't strictly necessary because kmsgsd is capable of writing to the fwdata file even if another process truncates it. - Added code to recreate the AUTO_IPT_SOCK (/var/run/psad/auto_ipt.sock) file if some other process happens to delete it out of /var/run/psad/ - Bugfix to allow backwards compatibility with old NOT_USED value for the HOME_NET variable. - Bugfix to cleanup any lost blocking rules from the running psad timeouts (a separate process might have deleted rules from the psad chains). - Bugfix to allow Netfilter log messages to include the PHYSDEV (i.e. PHYSIN and PHYSOUT) interfaces. - Updated to read architecture-dependent perl module installation directory out of /usr/lib/psad (e.g. "/usr/lib/psad/x86_64-linux") before importing psad perl modules such as IPTables::Parse, etc. These modules are now imported via "require" after the appropriate directories have been added to @INC. This allows the RPM files to be built on one system that builds @INC differently than the system where psad is actually installed since psad can now compensate for this. - Added new code to populate the _signature file in each of the /var/log/psad/ directories with verbose information including the signature time, sid, protocol, dst port, and packet count. - Changed --interval to --Interval, and added --interface to allow psad's detection to be limited to a specific IN interface for the INPUT and FORWARD chains (or OUT interface for the OUTPUT chain). - Replaced --status-brief with --status-summary, but changed it so that only the detailed IP status information is omitted. - Removed unnecessary --status-sort-dl option. - Added STATUS_OUTPUT_FILE so the --Status and --Analyze output is captured instead of just being lost if the output was not piped to 'less' or another similar program. - Added --restrict-ip so that psad will restrict its attack detection operations to a specific IP or network. - Updated psadwatchd.c to parse EMAIL_ADDRESSES out of /etc/psad/psad.conf to avoid duplication of variables. - Bugfix to clear old @ipt_config array after receiving a HUP signal. This bug broke the auto-blocking mode. - Bugfix for syslog-ng config so that any custom source for /proc/kmsg is used for the psadfifo path. psad-1.4.8 (10/15/2006): - Added the ability to get the auto-blocking status for a specific IP address in --status-ip mode. - Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables. - Bugfix to restore "start" functionality in Gentoo init script. - Added the ability to selectively disable psad auto-blocking emails. - Added more rigorous IP matching regex from Sebastien J. (contributed originally for fwknop). psad-1.4.7 (09/10/2006): - Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing a bug where psad would sometimes die on an iptables command but no information would be returned to the user. - Added the ability to specify the position for both the jump rule into the psad chains as well as the position for new rules within the psad chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this. - Populated the _debug option in the IPTables::ChainMgr module, and also added a _verbose option so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called. - Added code to install.pl to ask the user if a manual restart of syslog is ok upon an unsuccessful test of the syslog reconfiguration. This fixes a bug where some syslog daemons might not re-import their configurations after receiving a HUP signal. - Bugfix for incorrect config variable name that gated Netfilter prerequisite checks. - Added code to install.pl to update command paths in psad.conf and psadwatchd.conf if any of the paths are broken (i.e. the local system does not conform to the default paths). By default this only happens if the user does not want old configs to be merged, but to override this use the new --path-update command line argument to install.pl. - Added the --Skip-mod-install command line argument to install.pl to allow all perl module installs to be skipped. - Added the --force-mod-regex command line argument to install.pl to allow a regex match on perl module names to force matching modules to be installed. - Added the logrotate.psad file (contributed by Albert Whale). psad-1.4.6 (06/13/2006): - Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on logging prefixes. - Added code to save DShield email to a file. - Added IPTABLES_PREREQ_CHECK to allow the administrator to control the frequency of Netfilter checks (for auto-block compatibility). - Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely ignored by psad. - Added classification.config file from Snort-2.3.3 so that psad can assign danger levels based upon Snort rule class type. This is useful when also running fwsnort. - Added snort_rule_dl to allow specific psad to assign specific danger level values to particular signatures. This is useful if you want to do define certain Snort rules as being particularly evil (or not). Running fwsnort is also necessary to take advantage of this feature. - Added reference.config so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort. - Updated to Snort-2.3.3 signatures. - Updated to whois-4.7.13. psad-1.4.5 (01/13/2006): - Bugfix in IPTables::Parse to allow the limit target to apply to logging rules. - Made calls to chain creation and jump rule functions for only every 100 block calls in auto-IDS mode. - Bugfix to make sure /var/run/psad directory exists at startup since this directory is removed by some Linux distributions at boot time. - Bugfix for zero masks in auto_dl; this allows a network of "0.0.0.0/0" to be specified. - Added ENABLE_FW_LOGGING_CHECK so that the Netfilter policy check can be enabled/disabled easily via psad.conf. - Enhanced -D output to include "uname -a" and "perl -V" output. - Added ENABLE_RENEW_BLOCK_EMAILS to allow whether renew emails are sent for auto-blocked addresses. psad-1.4.4 (11/27/2005): - Added MAC address reporting in psad email alerts. This feature is enabled via a new config keyword "ENABLE_MAC_ADDR_REPORTING". - Added --fw-rm-block-ip option to allow IP addresses to be removed from the auto-blocking chains from the command line. - Updated command line firewall arguments to write commands to the AUTO_IPT_SOCK domain socket. - Added the ability to specify ports and port ranges to auto_dl file. - Added --force-mod-install command line argument to installer to force perl modules used by psad to be installed within /usr/lib/psad regardless of whether they already exist in the system perl tree. - Bugfix in the installer to seek() to the end of the fwdata file - Bugfix for psad repeatedly trying to remove the same IP address(es) from the auto-blocking chains. instead of reading the entire thing into memory. - Added the ability to truncate the fwdata file via a new configuration keyword "TRUNCATE_FWDATA" (this is enabled by default). - Bugfix in auto-blocking mode for deleting AUTO_IPT_SOCK when a HUP signal is received. - Bugfix for parsing Netfilter policies that contain ULOG logging rules instead of the standard LOG target. - Removed the smtpdaemon requirement in the RPM because psad might be configured to not send email alerts. psad-1.4.3 (09/27/2005): - Bugfixes for auto-blocking code. Timeouts should be handled properly, including cached IP addresses in the auto_blocked_iptables file that are referenced upon psad startup. Communication with the running psad is performed over a Unix domain socket in --fw-block mode. - Bugfix to seek to the end of the fwdata file instead of reading the entire thing into memory and then looking for newly written logging messages. This drastically reduces the amount of memory required by psad. - Updated to only display psad chains if --verbose is set - Updated to automatically flush the psad auto-response Netfilter chains at start time (subject to a new config keyword "FLUSH_IPT_AT_INIT"). psad-1.4.2 (07/15/2005): - Dependency bugfixes for mail binary. - Bugfix for various IGNORE_* keywords not being honored. - Bugfix for not timing out blocked IP addresses from a previous run. - Updated to version 0.2 of the IPTables::ChainMgr module. - Updated to not truncate the fwdata file upon psad startup. - Added --fw-dump which produces a sanitized (i.e. no IP addresses) version of the local Netfilter policy. Also added --fw-include-ips to (optionally) not sanitize IPs/nets. Note that the 0.0.0.0 and 0.0.0.0/0 IPs/nets are not sanitized since they give no useful information about specific IPs/nets. - Added ulogd data collection mode. - Bugfix for FW_MSG_SEARCH default (at least "DROP" is included now even if FW_SEARCH_ALL is set to "N"). - Bugfix for non-network address for subnet specified with --fw-block. - Bugfix for multiple --fw-block IPs/nets. - Added README.SYSLOG (Francois Marier contributed the content). - Made email alert prefixes (such as "[psad-alert]") customizable via psad.conf. psad-1.4.1 (03/12/2005): - Updated to Snort-2.3 rules in the snort_rules directory. - Re-worked syslog installation portion of install.pl. The user will always be prompted to enter the syslog daemon now, and also added the --syslog-conf arg to allow the config file path to be specified on the install.pl command line. - Bugfix in install.pl for using IP address instead of network address of directly connected subnets. - Updated to version 4.6.23 of the whois client. - Bugfix for distinguishing OPT field associated with --log-tcp-options vs. --log-ip-options. - Bugfix for syslog format that may not include the "kernel:" tag. - Applied patch to only install perl modules that are not already installed (Blair Zajac). - Bugfix for the psad version number that is sent in DShield alerts. - Updated Psad module directory structure to be consistent with current versions of perl (5.8.x). - Added IPTables::ChainMgr module. - Completely re-worked the Netfilter auto-blocking code to use IPTables::ChainMgr functions so that auto-generated rules are placed in chains created by psad. - Added IPT_AUTO_CHAIN keyword in psad.conf which is used to define the set of chains to which auto-generated Netfilter rules are added. - Added --fw-list-auto to display the contents of psad Netfilter chains. - Added the ability to import an IP into the Netfilter auto-blocking chains from the command line with --fw-block-ip. This allows psad to apply its timeout mechanism against such IPs/nets. - Added the ability to ignore packets based on input interface with IGNORE_INTERFACES in psad.conf. - Re-worked auto_dl code, better hash design and searching function. - Removed dependency on sendmail command unless DShield alerting is enabled and a DShield user id is specified. - Added ALERTING_METHODS keyword in the file alert.conf to allow either syslog or email alerts (or both) to be disabled. Psad and psadwatchd reference this file. psad-1.4.0 (11/26/2004): - Added p0f-style passive OS fingerprinting through the use of the OPT field in iptables log messages (which is only logged through the use of the --log-tcp-options command line arg to iptables). - Bugfix for iptables log messages that include tcp sequence numbers (see the iptables --log-tcp-sequence command line argument). - Bugfix for O_RDONLY open flag when kmsgsd receives a HUP signal. psad-1.3.4 (10/17/2004): - Bugfix for init script directory on Slackware systems. - Bugfix for null prefix counters. - Added --whois-analysis argument since whois lookups are now disabled by default when running in analysis (-A) mode. - Updated psad_init() to rework setup() and import orderings vs. --fw-analyze and --Benchmark modes. - Added bidirectional iptables auto-blocking support for all chains except for the INPUT and OUTPUT chains. - Better syslog message support when run in auto-blocking mode. - Added iptables auto-block rules section to --Status output. - Added init script for Fedora systems. - Added default_log() function to IPTables::Parse. This function parses user defined chains in an effort to find default logging rules. - Added EMAIL_LIMIT_STATUS_MSG to control whether or not psad sends a status email when the PSAD_EMAIL_LIMIT threshold has been reached by an IP address. - Added ENABLE_SCAN_ARCHIVE to control whether or not psad archives old scan data within /var/log/psad/scan_archive at start time. psad-1.3.3 (09/09/2004): - Fixed __WARN__ and __DIE__ exception handlers so that they reference global message variables. - Fixed auto danger level assignments. Network auto assignments as well as per-protocol assignments work now. - Added SYSLOG_DAEMON variable to define which syslog daemon is running on the underlying system instead of just guessing. - Added the ability to ignore both ranges and specific ports/protocols with a new variable IGNORE_PORTS in psad.conf. - Bugfix to make sure email addresses are separated by spaces when Psad::sendmail() is called. - Bugfix for ipt_prefix counters not being parsed correct at import time. - Removed exclude_auto_ignore_ip() since this function was made unnecessary by newly rewritten auto-assign code. - Bugfix for Text::Wrap calls in install.pl uninstall() routine. - Bugfix for using --no-fw-search-all even when FW_SEARCH_ALL is set to "Y". - Removed extraneous ".." and "**" chars from syslog messages, and updated to use [+] prefix strings. - Moved init scripts into init-scripts directory within source tree. - Removed dependency on Bit::Vector (psad does not seem to make use of any Date::Calc functions that require it). - Wrapped copy() and move() calls with "or die()" to make them safer in install.pl. - Added check for existing psad process in install.pl. - Updated to a new psad email alert subject format. Prefixes of "[psad-alert]", "[psad-error]", and "[psad-status]" are used now. - Permissions fixes with umask() setting in /var/log/psad, permissions fixes for files in /etc/psad at install time. psad-1.3.2 (06/25/2004): - Removed FW_MSG_SEARCH from psad.conf, and created a new config file "fw_search.conf" that both psad and kmsgsd use to get the FW_MSG_SEARCH definition(s). - Added default mode of parsing all iptables messages instead of just those that contain specific search strings. A new config variable "FW_SEARCH_ALL" was added to fw_search.conf that controls this mode. - Updated psad and kmsgsd so that multiple firewall search strings can be specified through multiple FW_MSG_SEARCH variables in fw_search.conf. - Added iptables chain and logging-prefix tracking for current scan interval in email alerts. - Added protocol-specific auto-danger level assignments. - Added total scan source and destination IP address counters in --Status output. - Added number of email alerts sent and OS guess in default --Status output. The output is getting wide now, so there is also a new option --status-brief that will remove the alerts sent and OS guess columns. - Added getopt() command line arg parsing to kmsgsd with two new options "-c" (for config file path) and "-k" (for fw_search.conf path). - Made iptables parsing code into its own script "fwcheck_psad" that gets called by psad. - Added Dshield stats summary to --Status output. - Bugfix for auto-ignore IP addresses and networks being missed. - Made parsing of ifconfig output language independent (should handle French now for example). - Removed "psad_" prefix on files psad_signatures, psad_auto_ips, psad_posf, and psad_icmp_types in /etc/psad/. - Updated to version 4.6.14 of the whois client. psad-1.3.1 (12/25/2003): - Added the ability to import /var/log/psad/ directories back into memory so scan data remains persistent across psad restarts or system reboots. - Added --Analyze-msgs to run psad in analysis mode against an iptables logfile (/var/log/psad/fwdata by default). The logfile path can be changed with --messages-file. - Added icmp type and code validation against RFC 792. - Bugfix for being too strict with FW_MSG_SEARCH. - Added port ranges for tcp and udp scans in /_packet_ctr. - Added /_start_time and /os_guess. - Bugfix for missing --no-signatures code. - Updated to Snort-2.1 signatures. psad-1.3 (11/30/2003): - Replaced all signatures in psad_signatures with updated snort rules. - Added support for source and destination ip addresses in signature matching code. A new variable "HOME_NET" makes this possible. - Added support for the iptables output chain. - Added chain tracking for all signatures. - Replaced match_fastsigs() with two new routines for tcp and udp signature matching that don't autovivify hash keys. - Removed support for ipchains. - Added support for metalog. - Removed all "Undefined Code" signatures from psad_signatures. - Re-worked %auto_blocked_ips hash and corresponding blocking routines. This (hopefully) fixes a restart bug seen on older systems such as those that are still running versions of perl less than 5.6. - Re-worked firewall policy parsing routines. Chains that have a default policy of DROP are handled properly now. - Bugfix for missing NULL char in kmsgsd.c. - Updated scan alerting format. Put current interval protocol status before source and destination addresses. - Buffer overflow fix in kmsgsd.c for size of buf[MAX_LINE_BUF] buffer in read() call. - Added --no-kmsgsd option to aid in psad --debug mode. psad-1.2.4 (10/15/2003): - Added danger level to subject line in email alerts. - Removed diskmond altogether since psad now handles disk space thresholds directly. This allows filehandles to be handled properly. - Added auto_block_ignore_ip() to prevent 0.0.0.0, 127.0.0.1, and local interface ips from being included in auto blocking routines. - Added Bit::Vector module to stop installation warnings from Date::Calc. - Made get_local_ips() called periodically since local addresses may change (dhcp, etc.). - Added installation code and init script for Gentoo Linux. - Bugfix for INIT_DIR in uninstall() routine in install.pl. - Bugfix for auto-blocking loop after timeouts are hit. - Added --status-dl [N] to display status information only for those scans that reach at least [N]. psad-1.2.3 (09/12/2003): - Added interface tracking for scans. - Bugfix for not opening /etc/hosts.deny the right way in tcpwr_block(). - Bugfix for psadfifo path in syslog-ng config. - Better format for summary stats section in email alerts. - Bugfix for INIT_DIR path on non-RedHat systems. - Bugfix for gzip path. - Make Psad.pm installed last of all perl modules installed by psad. - Added additional call to incr_syscall_ctr() in psadwatchd.c psad-1.2.2 (08/24/2003): - psad is finally available as an RPM package. - Added chain tracking for iptables. - Added chain counts to --Status output. - Bugfix for psad not taking into account multiple scan destinations. - Reworked auto-blocking code for both tcpwrappers and iptables. Lines added to /etc/hosts.deny will no longer be duplicated. Added IPTABLES_AUTO_RULENUM and IPCHAINS_AUTO_RULENUM so auto rules can be inserted at a configurable point within iptables and ipchains policies. - Psad now installs all perl modules within /usr/lib/psad. - Removed /var/log/psad//scanlog file since it was wasting too much disk. - Made psad, psadwatchd, and diskmond take the machine hostname from their respective config files. This makes installation via the rpm easier, and is generally cleaner. - Added scan destination in --Status output. - Added --status-sort-dl (the default status output is now sorted by ip address by default). psad-1.2.1 (07/11/2003): - Bugfix for multiple processes being spawned by psadwatchd due to lack of proper config variables in the new split daemon config files. - Bugfix for old scan messages being regenerated if a HUP signal is received. - Bugfix for incorrectly calculating disk utilization in diskmond.c. - Extended install.pl to include compression for archived files in /etc/psad. - Added preserve questions in install.pl for the psad signature and auto ips files. - Bugfix for --USR1 command line switch not mapping to the correct subroutine. - Bugfix for psad man page missing the pipe character in psadfifo line for syslog.conf. psad-1.2 (06/18/2003): - Added passive OS fingerprinting based on packet ttl, length, tos, and id fields. - Added dshield.org alerting capability. - Added exec_external_script() for external script execution. - Added auto blocked timeouts. - Implemented config re-imports via HUP signals in a manner similar to various other system daemons (sysylog, apache etc.) - Better --Status output that shows packet counts per protocol for each ip. - Added --ip-status for more verbose status output for a particular ip address. - Added config preservation code to install.pl. - Added Psad::psyslog(). - Split psad.conf into a separate config file for each of the four psad daemons. - Completely re-worked the auto blocking code (made dedicated files for iptables and ipchains block methods). - Added danger level hash. - Minor code cleanups (shorter hash keys, etc.). psad-1.1.1 (04/26/2003): - Bugfix for incorrect usage of %scan hash keys associated with tcp/udp when the current protocol is icmp. - Bugfix for being too strict on iptable default log string. - Reworked USR1 signal handler so the Data::Dumper function call is made in the main part of the psad code. - Added a startup message for psad. - Minor bugfix for leading whitespace in auto_ips. psad-1.1 (04/20/2003): - Added the IPTables::Parse module for better processing of the iptables ruleset. - Added --snort-sids so that iptables messages generated by fwsnort can be included in alerts. Such alerts now include the content fields of packets (fwsnort uses the iptables string match module). - Added the ability to specify entire networks in the auto ips file through the use of the Net::IPv4Addr module. - Better logging format that reinstates the current interval, and adds an "overall stats" section that includes packet counters per protocol. - Removed the PROTO hash key since it was unnecesssary. - Better benchmarking code. - Bug fix for incorrectly looking for the "MAC" string in iptables messages that could have been generated by the FORWARD chain. psad-1.0 (02/27/2003): - Added --Benchmark and --packets command line options to support psad benchmarking. - Bugfix for improperly detecting NULL scans. - Completely redesigned website. psad-1.0.0-pre4 (11/26/2002): - Rewrote kmsgsd and psadwatchd in C.