[252] in Intrusion Detection Systems
Port scan detection tool released
daemon@ATHENA.MIT.EDU (Gene Spafford)
Sat Jun 3 02:27:26 1995
Date: Sat, 3 Jun 1995 13:34:33 +1000
To: ids@uow.edu.au
From: spaf@cs.purdue.edu (Gene Spafford)
Reply-To: ids@uow.edu.au
Christoph Schuba (one of the senior students in the COAST Lab) and I have
written a small program in Perl v5 to detect port scans. You can run this on
a host and designate a set of ports to monitor, both TCP and UDP. Whatever is
sent to the port (up to a threshold number of bytes) is logged in sanitized
form. This can be helpful in detecting if someone is probing your system,
whether manually or using something like ISS or SATAN. It may have some
debugging applications, too.
There are options to log to syslog or to stderr. You can choose the ports you
want to monitor. You can specify if you want to use the ident/authd protocol
to attempt to identify the party on the other end of a TCP connection. You
can specify a timeout after which the connection is dropped. You can specify
the levels and class of syslog message, as well as the log host to use. Some
other options exist (see the manual page).
Sun Microsystems is the only vendor to be a COAST sponsor. That may explain
why we have lots of Sun machines and none from anyone else :-) So, other
than SunOS and Solaris, we can't be 100% certain how this behaves. However,
we tried to write in portable Perl5, so we expect this to work without problem
on many other systems. We'd like to hear about any exceptions.
Comments, questions, bug reports, ehancements, and so on can be directed to
Christoph and myself at <scan-detector@cs.purdue.edu>.
Copies of the code, including a PGP signature file, may be found at:
http://www.cs.purdue.edu/coast/coast-tools.html#tools
ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z
Cheers,
--spaf
