cipherdyne.org

Michael Rash, Security Researcher



Software Release - psad-2.0.8

psad-2.0.8 release The 2.0.8 release of psad is ready for download. This release includes major new functionality that allow psad to interface with Gnuplot to create graphical representations of iptables log data. Here is the ChangeLog:
  • Added --gnuplot mode so that psad can output data that is suitable for plotting with gnuplot. All output produced in this mode is integer data with the exception of date stamps that are derived from iptables syslog messages.
  • Added the ability to negate match conditions on fields specified with the --CSV-fields argument by prepending the string "not" (which plays more nicely with shells like bash than a character like "!"). For example, to graph all packet data in --gnuplot or --CSV modes that originates from the 11.11.0.0/16 subnet and is not destined for port 80, the following argument does the trick: --CSV-fields "src:11.11.0.0/16 dp:not80"
  • In --gnuplot mode, added the ability to generate the count for a CSV field instead of the field itself. Supported modes are an absolute count (<field>count) , and a unique count (<field>uniqcount). This is useful to plot graphs of source IP vs. the number unique ports for example. Also added the ability to count iptables log fields over various time scales (minutes, hours, and days) with the following switches: <field>countday, <field>counthour, <field>countmin.
  • In --gnuplot mode, added the ability to specify the view coordinates for 3D graph viewing with --gnuplot-view.
  • Added the Storable-2.16 module along with the --use-store-file argument so that in --gnuplot mode the Gnuplot data can be stored on disk and retrieve quickly. This eliminates a large performance bottleneck when Gnuplot configuration directives are tweaked while the same graph is generated multiple times.
  • Added --gnuplot-template so that a template file can be used for all Gnuplot directives (usually psad creates the .gnu file based on the --gnuplot command line arguments).
  • Added --gnuplot-grayscale to generate graphs without the default red color for graph points.
  • Bugfix for regular expressions not being imported correctly from within the --CSV-fields argument.
  • Added --analysis-fields so the iptables log messages that are parsed in -A mode can be restricted to those that meet certain criteria. For example, to restrict the analyze mode to process packets with a source address of 192.168.10.1, use this command: psad -A --analysis-fields "src:192.168.10.1"
  • Added --plot-separator to allow the format of plot data (either in --gnuplot or --CSV modes) to be influenced by the user.
  • Added the ability to configure the syslog facility and priority via the psad.conf file (see the SYSLOG_FACILITY and SYSLOG_PRIORITY variables).
  • Updated psad.spec file to respect the %_initrddir RPM macro.