The Port Scan Attack Detector (psad) is acollection of three system daemons that aredesigned to work with the Linux iptablesfirewalling code to detect port scans and othersuspect traffic. It features a set of highlyconfigurable danger thresholds (with sensibledefaults), verbose alert messages, email alerting,DShield reporting, and automatic blocking ofoffending IP addresses. Psad incorporates many ofthe packet signatures included in Snort to detectvarious kinds of suspicious scans, and implementsthe same passive OS fingerprinting algorithm usedby p0f.
License: GNU General Public License (GPL)
Changes:
A bug was fixed so that kernel timestamps are notincluded in iptables log prefixes that containspaces like "[ 65.026008] DROP". Non-resolved IPaddresses are now skipped. p0f output in --debugmode was improved to display when a passive OSfingerprint cannot be calculated based on iptableslog messages that include TCP options (i.e. with--log-tcp-options when building a LOG rule on theiptables command line).
More...