psad-2.4.6 (07/31/2018):

    - Add EMAIL_APPEND_HEADER to allow psad alerts to have custom email headers
      appended to outbound emails. This uses the '-a' command line argument
      offered by the 'mail' command. An example usage would be to set the
      'From' email header.
    - Bug fix for ENABLE_OVERRIDE_FW_CMD feature to allow global option
      settings to the underlying firewall command to be controlled via a new
      variable FW_CMD_ARGS. This variable is only used when
      ENABLE_OVERRIDE_FW_CMD is enabled, and is set to NONE by default.
      Normally, on systems running firewalld, the command line arguments
      '--direct --passthrough ipv4' are set provided, but FW_CMD_ARGS can be
      used to control this.
    - For iptables logs generated by fwsnort, include the contents of the
      'metadata' Snort rule field in psad email alerts.
    - Updated to bundle the latest Emerging Threats rule set in
      deps/snort_rules.

bug fix for ENABLE_OVERRIDE_FW_CMD feature to use correct hash key

psad-2.4.5 (06/13/2017):

    - Added proper port sweep detection based on a single port being probed
      across a configurable number of destination hosts. The number of
      destinations is controlled by the following new configuration variables
      (and associated defaults) in the psad.conf file:

          DL1_UNIQUE_HOSTS            10;
          DL2_UNIQUE_HOSTS            20;
          DL3_UNIQUE_HOSTS            50;
          DL4_UNIQUE_HOSTS            100;
          DL5_UNIQUE_HOSTS            500;
          PORT_RANGE_SWEEP_THRESHOLD  0;

      The PORT_RANGE_SWEEP_THRESHOLD variable is set to zero by default to
      denote a sweep for a single port. The comparison is made as an "equals"
      test against this variable. So a scan that trips the
      PORT_RANGE_SCAN_THRESHOLD can be changed to a sweep if
      PORT_RANGE_SWEEP_THRESHOLD is changed to a value greater than
      PORT_RANGE_SCAN_THRESHOLD and if at least DL1_UNIQUE_HOSTS are hit.

    - Bug fix to apply syslog only ALERTING_METHOD properly when an email
      throttle is also set. This issue was reported by @joshlinx on github as
      issue #44.
    - Bug fix to include top signature matches in 'psad --Status' output. This
      issue was reported by @joshlinx on github as issue #41.
    - In the psad.conf file, change the ENABLE_PERSISTENCE default to "N" in
      order to (by default) limit psad's memory consumption. The trade off is
      that really "low and slow" scans may be missed in exchange for a better
      operational model. Note the MAX_SCAN_IP_PAIRS variable can also be used
      to control memory consumption if ENABLE_PERSISTENCE is enabled.
    - Added new variables ENABLE_OVERRIDE_FW_CMD and FW_CMD to force a path to
      a firewall binary to be set instead of having psad search for standard
      installation paths.

psad-2.4.5-pre1 release

- Added proper port sweep detection based on a single port being probed
  across a configurable number of destination hosts. The number of
  destinations is controlled by the following new configuration variables
  (and associated defaults) in the psad.conf file:

      DL1_UNIQUE_HOSTS            10;
      DL2_UNIQUE_HOSTS            20;
      DL3_UNIQUE_HOSTS            50;
      DL4_UNIQUE_HOSTS            100;
      DL5_UNIQUE_HOSTS            500;

- Bug fix to apply syslog only ALERTING_METHOD properly when an email
  throttle is also set. This issue was reported by @joshlinx on github as
  issue #44.
- Bug fix to include top signature matches in 'psad --Status' output. This
  issue was reported by @joshlinx on github as issue #41.
- In the psad.conf file, change the ENABLE_PERSISTENCE default to "N" in
  order to (by default) limit psad's memory consumption. The trade off is
  that really "low and slow" scans may be missed in exchange for a better
  operational model. Note the MAX_SCAN_IP_PAIRS variable can also be used
  to control memory consumption if ENABLE_PERSISTENCE is enabled.

psad-2.4.4 (02/20/2017):

    - Added detection for Mirai botnet default credentials scans. These scans
      follow a well-defined pattern of 10 connections to TCP port 23 (telnet)
      followed by a connection to TCP port 2323.
    - Added installation support (install.pl and 'psad.service' file) for
      systems running systemd.
    - Bug fix to not remove auto-blocked IP's from a running psad instance
      with 'psad --Status'.
    - Updated to version 5.2.13 of the whois client.
    - Updated to IPTables::ChainMgr 1.6.

psad-2.4.3 (12/19/2015):

    - Bug fix in fwcheck_psad related to an uninitialized variable related to
      firewalld deployments.
    - Bug fix to add psad process into -K, -S, and -R handling if psad is
      reading iptables logs via journalctl. This is necessary because psad
      fork()'s an extra copy of itself when reading via journalctl.
    - Updated to IPTables::ChainMgr 1.5.

psad-2.4.2 (11/29/2015):

    - Bug fix to apply the EMAIL_ALERT_DANGER_LEVEL threshold to auto-blocking
      emails (reported by itoffshore@github).
    - Bug fix to include the META.yml file for the Unix::Syslog module. This
      issue was reported by github user itvasile as issue #26.
    - Updated IPTables::ChainMgr and IPTables::Parse to 1.4 and 1.6.1
      respectively. The IPTables::Parse update is important because of a
      security vulnerability fixed by Miloslav Trmač. This vulnerability was
      an issue where temporary files used predictable names, and this could be
      leveraged by a local attacker to overwrite any files to which the
      attacker has write permissions.
    - With the update to IPTables::Parse 1.6.1, the path to the
      iptables/ip6tables/firewall-cmd binary is worked out by the module
      directly instead of by psad.

tagged psad-2.4.1

tagged psad-2.4.0

tagged psad-2.2.5