In its current incarnation, psad can detect various types of suspicious traffic, such as port scans generated by tools like Nmap (see http://www.insecure.org), probes for various backdoor programs, Distributed Denial of Service (DDoS) tools, and efforts to abuse networking protocols. When combined with fwsnort (see Chapter 9, Chapter 10, and Chapter 11), psad can detect and generate alerts for over 60 percent of all Snort-2.3.3 rules, including those that require the inspection of application layer data.

Among psad's more interesting features is its ability to passively fingerprint the remote operating system from which a scan or other malicious traffic originates. For example, if someone launches a TCP connect() scan from a Windows ...