Patches to provide full TCP flag-logging capabilities exist for the ipchains firewall code in the 2.2.x Linux kernel series. For examples, see the Linux-Kernel Archive from 12/01/2000 to 12/07/2000, available at www.uwsg.indiana.edu/hypermail/linux/kernel/0012.0/index.html. Within this archive is a thread entitled “[PATCH] ipchains log will show all flags”, which contains a source code diff against linux-2.2.x/net/ipv4/ip_fw.c.
The best place for information on the vagaries of TCP is straight from the horse's mouth in RFC: 793—Transmission Control Protocol, www.ibiblio.org/pub/docs/rfc/rfc793.txt.
For a sample psad e-mail alert see Listing 4 at ftp.ssc.com/pub/lj/listings/issue91/4876.tgz.
Items on the to-do list for psad include: ipfilter support on *BSD platforms, a rewrite of significant psad components in C for better performance, ICMP support, better signature specification to include more fields of the IP/UDP/TCP headers and integration with Bastille Linux (see www.bastille-linux.org).