33 lines
1.5 KiB
Plaintext
33 lines
1.5 KiB
Plaintext
|
|
IP Scan Detetor.
|
|
----------------
|
|
|
|
This program is designed to be a passive listener for TCP packets sent to
|
|
the host. It does not exercise the promiscous mode of interfaces. For
|
|
routing Unix boxes (and firewalls which route/proxy) this is sufficient to
|
|
detect all packets going to/through them.
|
|
|
|
Upon compiling, a predefined set of "sensitive" ports are configured into
|
|
the program. Any TCP packets which are seen sent to these ports are counted
|
|
and the IP# of the sending host recorded, along with the time of the first
|
|
packet to that port for that IP#.
|
|
|
|
After a given number of "hits", it will write the current table of packets
|
|
out to disk. This number defaults to 10,000.
|
|
|
|
To analyze the information written to disk, a sample program called "ipsdr"
|
|
is used (should but doesn't implement a tree algorithm for storing data)
|
|
which reads all log files it recognises and totals up the number of ports
|
|
each host hit. By default, all ports have the same weighting (1). Another
|
|
group of passes is then made over this table using a netmask of 0xfffffffe,
|
|
grouping all results which fall under the same resulting IP#. This netmask
|
|
is then shrunk back to 0, with a output for each level given. This is aimed
|
|
at detecting port scans done from different hosts on the same subnet (although
|
|
I've not seen this done, if one was trying to do it obscurely...)
|
|
|
|
Lastly, being passive means that no action is taken to stop port scans being
|
|
done or discourage them.
|
|
|
|
Darren
|
|
darrenr@pobox.com
|