[13] in Intrusion Detection Systems
Re: port scanners/ICMP port unreachable
daemon@ATHENA.MIT.EDU (Andrew Cowell)
Thu Mar 30 14:49:25 1995
From: Andrew Cowell <cowell@cs.utk.edu>
To: ids@uow.edu.au
Date: Wed, 29 Mar 1995 12:12:33 -0500
Reply-To: ids@uow.edu.au
From: Oliver Friedrichs <iceman@MBnet.MB.CA>
Subject: Re: port scanners/ICMP port unreachable
Date: Tue, 28 Mar 1995 21:08:51 -0600 (CST)
> On Tue, 28 Mar 1995, Dan Pollack wrote:
>
> icmpinfo only catches incoming icmp messages - in this case we're
> looking for outgoing port unreachable messages - to detect someone trying
> to connect to an invalid port.
I noticed that, then just went to a SunOS 4.1.3 machine with /dev/nit
and ran
# etherfind -proto icmp
Works like a charm. Then just:
# egrep unreach /var/tmp/icmp.scan
ICMP from zeus.cs.uh.edu to UTKCS2.CS.UTK.EDU dst unreachable bad port
ICMP from 192.40.201.3 to CS.UTK.EDU dst unreachable bad host
Pipe it through sort and it groups by originating hosts, etc...
--
Andrew E. B. Cowell <cowell@cs.utk.edu> | "And the mountainside opened, a
Sys Admin, Computer Science Department | moment to pray for all the souls
The University of Tennessee, Knoxville | he'd come to save...now he couldn't
WWW: http://www.cs.utk.edu/~cowell/ | save himself" [Legendary Pink Dots]
