|  |  | 
|  | IP Scan Detetor. | 
|  | ---------------- | 
|  |  | 
|  | This program is designed to be a passive listener for TCP packets sent to | 
|  | the host.  It does not exercise the promiscous mode of interfaces.  For | 
|  | routing Unix boxes (and firewalls which route/proxy) this is sufficient to | 
|  | detect all packets going to/through them. | 
|  |  | 
|  | Upon compiling, a predefined set of "sensitive" ports are configured into | 
|  | the program.  Any TCP packets which are seen sent to these ports are counted | 
|  | and the IP# of the sending host recorded, along with the time of the first | 
|  | packet to that port for that IP#. | 
|  |  | 
|  | After a given number of "hits", it will write the current table of packets | 
|  | out to disk.  This number defaults to 10,000. | 
|  |  | 
|  | To analyze the information written to disk, a sample program called "ipsdr" | 
|  | is used (should but doesn't implement a tree algorithm for storing data) | 
|  | which  reads all log files it recognises and totals up the number of ports | 
|  | each host hit.  By default, all ports have the same weighting (1).  Another | 
|  | group of passes is then made over this table using a netmask of 0xfffffffe, | 
|  | grouping all results which fall under the same resulting IP#.  This netmask | 
|  | is then shrunk back to 0, with a output for each level given.  This is aimed | 
|  | at detecting port scans done from different hosts on the same subnet (although | 
|  | I've not seen this done, if one was trying to do it obscurely...) | 
|  |  | 
|  | Lastly, being passive means that no action is taken to stop port scans being | 
|  | done or discourage them. | 
|  |  | 
|  | Darren | 
|  | darrenr@pobox.com |