psad Features
- Detection for TCP SYN, FIN, NULL, and XMAS scans as well as UDP scans.
- Detection of many signature rules from the Snort intrusion detection system.
- Forensics mode Netfilter logfile analysis (useful as a forensics tool for extracting scan information from old Netfilter logfiles).
- Passive operating system fingerprinting via TCP syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses Netfilter log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain TCP/UDP/ICMP scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the Netfilter string match extension and fwsnort.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables ruleset parsing to verify "default drop" policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via Netfilter and/or tcpwrappers based on scan danger level. (This feature is NOT enabled by default.)
- Parsing of Netfilter log messages and generation of CSV output that can be used as input to AfterGlow. This allows Netfilter logs to be visualized. Here are some example graphs created by parsing the Netfilter logs provided by the Honeynet Project: Scan30 and Scan34.
- Status mode that displays a summary of current scan information with associated packet counts, Netfilter chains, and danger levels.
