| |
| IP Scan Detetor. |
| ---------------- |
| |
| This program is designed to be a passive listener for TCP packets sent to |
| the host. It does not exercise the promiscous mode of interfaces. For |
| routing Unix boxes (and firewalls which route/proxy) this is sufficient to |
| detect all packets going to/through them. |
| |
| Upon compiling, a predefined set of "sensitive" ports are configured into |
| the program. Any TCP packets which are seen sent to these ports are counted |
| and the IP# of the sending host recorded, along with the time of the first |
| packet to that port for that IP#. |
| |
| After a given number of "hits", it will write the current table of packets |
| out to disk. This number defaults to 10,000. |
| |
| To analyze the information written to disk, a sample program called "ipsdr" |
| is used (should but doesn't implement a tree algorithm for storing data) |
| which reads all log files it recognises and totals up the number of ports |
| each host hit. By default, all ports have the same weighting (1). Another |
| group of passes is then made over this table using a netmask of 0xfffffffe, |
| grouping all results which fall under the same resulting IP#. This netmask |
| is then shrunk back to 0, with a output for each level given. This is aimed |
| at detecting port scans done from different hosts on the same subnet (although |
| I've not seen this done, if one was trying to do it obscurely...) |
| |
| Lastly, being passive means that no action is taken to stop port scans being |
| done or discourage them. |
| |
| Darren |
| darrenr@pobox.com |