This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.


Psad Intrusion Detection System
External Tool
External Data Source
56 (lowest rank is 56)

Category & Restrictions

intrusion detection, cyber defense


Psad is an Intrusion Detection and Log Analysis with iptables

The Port Scan Attack Detector psad is a lightweight system daemon written in is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, reverse DNS info, email and syslog alerting, automatic blocking of offending IP addresses via dynamic configuration of iptables rulesets, passive operating system fingerprinting, and DShield reporting. In addition, psad incorporates many of the TCP, UDP, and ICMP signatures included in the Snort intrusion detection system. to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (Mstream, Shaft), and advanced port scans (SYN, FIN, XMAS) which are easily leveraged against a machine via nmap. psad can also alert on Snort signatures that are logged via fwsnort, which makes use of the iptables string match extension to detect traffic that matches application layer signatures. As of the 2.4.4 release, psad can also detect the IoT default credentials scanning phase of the Mirai botnet.

Additional Details

psad, detection, intrusion, system, 1336, psad intrusion detection system, source, external data source, external, inferlink corporation, inferlink, corporation, iptables, log, analysis, detect, port, signatures, scans, alert, nmap, traffic, snort, botnet, tcp, highly, mstream, detector, command, udp, passive, code, string, application, rulesets, sweeps, dynamic, written, shaft, configurable, info, suspicious, daemon, girlfriend, control, configuration, match, linux, dshield, offending, firewalling, designed, included, xmas, automatic, subseven, credentials, destination, reporting, syn, lightweight, mirai, fwsnort, times, advanced, features, release, dns, matches, thresholds, defaults, messages, programs, extension, other, scanning, backdoors, phase, addition, fin, danger, icmp, iot, logged, scanned, options, easily, fingerprinting, scan, flags, range, include, evilftp, backdoor, suspect, reverse, leveraged, verbose, machine, incorporates, email, firewalld, operating, ddos, syslog, tools, layer, alerting, communications, default, attack, blocking, ip6tables