Package: psad Version: 2.1.5 Severity: wishlist Tags: patch PSAD's package description could do with some attention.
First, it thinks the latest version of Linux is 2.4.x, and claims to support 2.2.x - in fact 2.4 is officially unsupported on oldstable. Second, it has a rather hard to follow list of (lists of) features. I've tried to tidy it into a clear bulleted list; if I've chopped it up wrongly, my apologies, but that's more evidence it needs fixing. And third, it claims to incorporate Snort signatures. The NEWS file says those were thrown out a while ago. Here's a more nitpicky package description review - don't bother reading it if I've already convinced you to accept the patch! > HomePage: http://www.cipherdyne.org/psad/ (That camelcase is unconventional, but should be harmless. So I don't know why psad's PTS page doesn't show a link...) > Package: psad > Architecture: any (Does the dependency on iptables save it from needing to specify "except the kfreebsd-* release arches"?) >[...] > Description: The Port Scan Attack Detector This is close to the style recommended by the Developers Reference, but it would be closer without the capitalised definite article. > PSAD is a collection of four lightweight system daemons written in > Perl and in C that is designed to work with Linux firewalling code > (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) So just say "with iptables", and drop all the references to 2.2/2.4 and ipchains/iptables throughout. > to detect port scans. It features a set of highly configurable danger (1) > thresholds (with sensible defaults provided), verbose alert messages (2) > that include the source, destination, scanned port range, begin and (2a) (2b) (2c) (2d) > end times, tcp flags and corresponding nmap options (Linux 2.4.x (2d') (2e) (2e'? No, 2f?) > kernels only), reverse DNS info, email alerting, and automatic (2g? No, 3!) (4) (5) > blocking of offending ip addresses via dynamic configuration of > ipchains/iptables firewall rulesets. Plus some miscellaneous tweaks, such as using the shift key more for Nmap, TCP, and IP (but fwsnort seems to be canonically lowercase). > . > In addition, for the 2.4.x kernels psad incorporates many > of the tcp signatures included in Snort to detect highly suspect scans > for: > [...] Discard all this; instead I've taken some text from the upstream website. My patch has this instead: Description: Port Scan Attack Detector PSAD is a collection of four lightweight system daemons (in Perl and C) designed to work with iptables to detect port scans. It features: * a set of highly configurable danger thresholds (with sensible defaults provided); * verbose alert messages that include the source, destination, scanned port range, beginning and end times, TCP flags, and corresponding Nmap options; * reverse DNS information; * alerts via email; * automatic blocking of offending IP addresses via dynamic firewall configuration. . When combined with fwsnort and the Netfilter string match extension, PSAD is capable of detecting many attacks described in the Snort rule set that involve application layer data. -- JBR Ankh kak! (Ancient Egyptian blessing)
diff -ru psad-2.1.5.pristine/debian/control psad-2.1.5/debian/control --- psad-2.1.5.pristine/debian/control 2010-01-31 23:33:53.000000000 +0000 +++ psad-2.1.5/debian/control 2010-02-01 00:40:00.000000000 +0000 @@ -6,7 +6,7 @@ Build-Depends: debhelper (>= 7), quilt Standards-Version: 3.8.3 -HomePage: http://www.cipherdyne.org/psad/ +Homepage: http://www.cipherdyne.org/psad/ Package: psad Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, ${perl:Depends}, @@ -17,23 +17,19 @@ Recommends: bastille Suggests: fwsnort Conflicts: bastille (<< 1:1.3.0-4) -Description: The Port Scan Attack Detector - PSAD is a collection of four lightweight system daemons written in - Perl and in C that is designed to work with Linux firewalling code - (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) - to detect port scans. It features a set of highly configurable danger - thresholds (with sensible defaults provided), verbose alert messages - that include the source, destination, scanned port range, begin and - end times, tcp flags and corresponding nmap options (Linux 2.4.x - kernels only), reverse DNS info, email alerting, and automatic - blocking of offending ip addresses via dynamic configuration of - ipchains/iptables firewall rulesets. +Description: Port Scan Attack Detector + PSAD is a collection of four lightweight system daemons (in Perl and + C) designed to work with iptables to detect port scans. It features: + * a set of highly configurable danger thresholds (with sensible + defaults provided); + * verbose alert messages that include the source, destination, + scanned port range, beginning and end times, TCP flags, and + corresponding Nmap options; + * reverse DNS information; + * alerts via email; + * automatic blocking of offending IP addresses via dynamic firewall + configuration. . - In addition, for the 2.4.x kernels psad incorporates many - of the tcp signatures included in Snort to detect highly suspect scans - for: - . - * various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven) - * DDoS tools (mstream, shaft) - * advanced port scans (syn, fin, xmas) such as those made with nmap - . + When combined with fwsnort and the Netfilter string match extension, + PSAD is capable of detecting many attacks described in the Snort rule + set that involve application layer data.
