Cipherdyne -- Security Software
Cipherdyne -- Security Software: "psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap. When combined with fwsnort, psad is capable of detecting approximately 70% of all Snort rules, including those that inspect the application portion of ip packets. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. For more information, see the complete list of features offered by psad.

psad is developed around three main principles:

* Good network security starts with a properly configured firewall.
* Suspicious traffic should not be detected at the expense of trying to also block such traffic.
* A significant amount of intrusion detection data can be gleaned from firewalls logs, especially if the logs provide information on nearly every field of the network and transport headers.

Frequently asked questions, such as 'How is psad different from portsentry?' are answered in the psad FAQ. Example alerts that psad will send after detecting various scan types are available in the sample alerts. For complete information, including a discussion on specifically how psad upholds the three security principles mentioned above, read the full documentation."
- posted by Gp @ 7:06 AM