- Detection for TCP SYN, FIN, NULL, and XMAS scans as well as UDP scans.
- Support for both IPv4 and IPv6 logs generated by iptables and ip6tables respectively.
- Detection of many signature rules from the Snort intrusion detection system.
- Forensics mode iptables/ip6tables logfile analysis (useful as a forensics tool for extracting scan information from old iptables/ip6tables logfiles).
- Passive operating system fingerprinting via TCP syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables/ip6tables log messages (requires the –log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain TCP/UDP/ICMP scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- When combined with fwsnort and the iptables string match extension, psad can generate alerts for application layer buffer overflow attacks, suspicious application commands, and other suspect layer 7 traffic.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables rule-set parsing to verify “default drop” policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via iptables/ip6tables and/or tcpwrappers based on scan danger level. (This feature is NOT enabled by default.)
- Parsing of iptables/ip6tables log messages and generation of CSV output that can be used as input to AfterGlow. This allows iptables/ip6tables logs to be visualized. Gnuplot is also supported.
- Status mode that displays a summary of current scan information with associated packet counts, iptables/ip6tables chains, and danger levels.
Psad also includes a whois client written by Marco d’Itri (see the deps/whois directory).psad generally runs on Linux systems, and is available in the package repositories of many major Linux distributions.