File: TODO

package info (click to toggle)
psad 1.4.8-1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 4,756 kB
  • ctags: 1,878
  • sloc: perl: 28,425; ansic: 8,323; makefile: 1,875; sh: 287
file content (89 lines) | stat: -rw-r--r-- 4,974 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
    - Automated tests to verify correct behavior for command line
      options (and potentially other things such as correctness of
      psad alerts).
    - Take into account whether a destination port is in /etc/services for
      the danger level calculaion.  A SYN packet to tcp/22 is worse than
      a stray SYN packet to an arbitrary high port (as long as there isn't
      a backdoor, etc.).  There are (probably) historically more
      vulnerabilities in sshd than for some service that isn't even listed
      in /etc/services.
    - Idle scan detection through seeing combination of SYN/ACK and RST
      packets (i.e. the iptables box was used as a zombie host).
    - XML logging format.
    - HTML output mode, and ability to create IP directories/pages under a
      web root directory.
    - Add the ability to install.pl to restore the "latest" syslog config
      backup file (fwknop may have been installed for example) at uninstall
      time.
    - Infer NMAP scan if OPT does not exist in the iptables log (because
      tcp options are missing)?
    - Play with SHOW_ALL_SIGNATURES = "Y" since this may not really cause
      hugely long email alerts.  This trick would be to perhaps associate
      a "last seen" timestamp with each old signature.
    - MRTG scripts.
    - Add a DNS_TIMEOUT config keyword.
    - Add a threshold danger level for ENABLE_EXT_SCRIPT_EXEC functionality.
    - Ability to remove email block for a specific ip from a running
      psad process.
    - Summary report emails like dshield does.
    - Ability to elevate scan danger level based on specific iptables
      prefixes.
    - Ability to download latest signatures from cipherdyne.org.
    - Replace full ascii signature listings in <ip>_signatures with sid
      numbers and packet counts.
    - Rework IGNORE_CONNTRACK_BUG_PKTS strategy to maximze signature
      detection.
    - More syslog messages from psad, psadwatchd, and kmsgsd.
    - Put a "psad signature strategy" link in all alert emails.
    - Module tests for Psad.pm
    - Extract default behavior into psad.conf.
    - Custom logging line upon auto-blocking an ip.
    - Add difference notification (via syslog) for changed variables
      after receiving a HUP signal.
    - Signature based auto block rules.
    - Include the ability to specify a network in CIDR notation with
      --Status output.
    - Drop root privileges if not running in auto-blocking mode.
    - Extend install.pl to provide an option to dowload the latest perl
      modules (Date::Calc, Unix::Syslog, etc.) from CPAN.
    - Extend passive OS fingerprinting to make use of more types of
      packets than just tcp/syn packets.
    - Extend passive OS fingerprinting to include signatures from
      Xprobe from http://www.sys-security.com.
    - Add a density calculation for a range of scanned ports, and also
      add a "verbose" mode that will display which of the scanned ports
      actually resolve to something in the IANA spec.
    - Packet grapher mode with annotated scan alerts.
    - Mysql database support?
    - Make use of other logging options available in iptables to detect
      more tcp signatures.  (E.g. --log-tcp-options, --log-ip-options,
      --log-tcp-sequence, etc.) for better signature recognition.
    - psad.conf option to disable signature detection; useful if fwsnort is
      already deployed for this.
    - Include a verbose message in the body of certain emails that as
      of psad-1.0.0-pre2 only contain a subject line.
    - Deal with the possibility that psad could eat lots of memory over
      time if $ENABLE_PERSISTENCE="Y". This should involve periodically
      deleting entries in %scan (or maybe the entire hash), but this
      should be done in a way that allows some scan data to persist.
    - Ipfilter support on *BSD platforms.
    - Take into account syslog message summarization; i.e. "last message
      repeated n times".
    - Possibly add a daemon to take into account ACK PSH, ACK FIN, RST etc.
      packets that the client may generate after the ip_conntrack module
      is reloaded.  Without anticipating such packets psad will interpret
      them as a belonging to a port scan.  NOTE: This problem is mostly
      corrected by the conntrack patch to the kernel.  Also, the
      IGNORE_CONNTRACK_BUG_PKTS variable was added to mitigate this
      problem.
    - Improve check_firewall_rules() to check for a state rule (iptables)
      since having such a rule greatly improves the quality of the data
      stream provided to psad by kmsgsd since more packet types will be
      denied without requiring overly complicated firewall rules to detect
      odd tcp flag combinations.
    - perldoc
    - Ability to auto-respond if certain criteria are met, such as a
      signature match against an established TCP session (SIDnnn ESTABLISHED
      from fwsnort).
    - More IGNORE_* keywords.
    - Configurable Netfilter prerequisite checks.