Port Scan Attack Detection (PSAD) is a collection of three lightweight system daemons written in Perl and C and is designed to work with Linux firewalls like iptables (for Linux 2.4.x kernels) and ipchains (for the 2.2.x kernels) to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

PSAD has verbose alert messages which include the source IP, destination IP, scanned port range, timestamps, tcp flags and corresponding nmap options used (for 2.4.x kernels only), reverse DNS info, email alerting, and automatic blocking of offending ip addresses via dynamic configuration of ipchains/iptables firewall rulesets. PSAD incorporates many of the tcp signatures included in Snort to detect highly suspect scans (for kernel 2.4.x only).

PSAD is developed around three main principles:

• Good network security starts with a properly configured firewall.
• A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers (and even application layer signature matches as in Netfilter’s case).
• Suspicious traffic should not be detected at the expense of trying to also block such traffic.

Popularity: 2% [?]