PSAD - how it works ???

Here is the /var/log/messages

Nov 22 23:22:36 www kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1e:68:9a:f6:19:00:13:7f:c4:47:1a:08:00 SRC=123.12.89.26 DST=203.114.11.102 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=55810 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0
Nov 22 23:22:41 www psad: src: 123.12.89.26 signature match: "MISC MS Terminal Server communication attempt" (sid: 100077) tcp port: 3389
Nov 22 23:22:41 www psad: scan detected: 123.12.89.26 -> 203.114.11.102 tcp: [3389] flags: SYN tcp pkts: 1 DL: 2

Nov 22 23:28:03 www kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1e:68:9a:f6:19:00:13:7f:c4:47:1a:08:00 SRC=221.10.240.100 DST=203.114.11.102 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=48158 DF PROTO=TCP SPT=4121 DPT=4899 WINDOW=16384 RES=0x00 SYN URGP=0
Nov 22 23:28:07 www psad: src: 221.10.240.100 signature match: "MISC Radmin Default install options attempt" (sid: 100204) tcp port: 4899
Nov 22 23:28:07 www psad: scan detected: 221.10.240.100 -> 203.114.11.102 tcp: [4899] flags: SYN tcp pkts: 1 DL: 2

Nov 22 23:36:02 www kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1e:68:9a:f6:19:00:13:7f:c4:47:1a:08:00 SRC=77.194.196.82 DST=203.114.11.102 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=22232 DF PROTO=TCP SPT=4390 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 22 23:36:07 www psad: src: 77.194.196.82 signature match: "MISC Radmin Default install options attempt" (sid: 100204) tcp port: 4899
Nov 22 23:36:07 www psad: scan detected: 77.194.196.82 -> 203.114.11.102 tcp: [4899] flags: SYN tcp pkts: 1 DL: 2

see this 3 part, once the packet drop by my shorewall ( iptables ), PSAD then perform the job.
Then, It will read the signature if match it will block the IP for certain period

coool, is it?????