psad - iptables log message analyzer

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. psad incorporates many signatures from the snort intrusion detection system to detect probes for various backdoor programs and advanced port scans (fin, null, Xmas) which are easily leveraged against a machine via nmap.

When combined with fwsnort, psad is capable of detecting approximately 75% of all snort rules, including those that inspect the application portion of ip packets. In addition, psad makes use of packet ttl, tos, ip id, and tcp window sizes to passively fingerprint remote operating systems from which scans originate. For more information see the complete list of features offered by psad.