[304] in Intrusion Detection Systems
scan detection (was: prfile)
daemon@ATHENA.MIT.EDU (Gene Spafford)
Sun Aug 20 14:05:32 1995
To: ids@uow.edu.au
In-Reply-To: Message from martinh@paston.co.uk (Martin Hargreaves) of
"Fri, 18 Aug 1995 21:03:26 +0100"
<9508182003.AB24244@red.paston.co.uk>
Date: Sat, 19 Aug 1995 10:17:23 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
Reply-To: ids@uow.edu.au
> >One of the most portable packages I have seen to date in the freeware
> >realm is tcp_wrappers.
>
> I shall be porting this to our Sequents next week. A very useful program, I
> agree - it is also useful for listening with dummy servers on well known
> ports. Also to do this on say 10 sequential ports gives the same (or better)
> functionality as "courtney" and "gabriel" for checking against port scanners.
A better, more configurable scan detector is available from the COAST
group. It is at
ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z
It can also be found by traversing the links in
http://www.cs.purdue.edu/coast
The detector is written in Perl5, and allows you to specify which ports
you want monitored. You can specify things like whether to log probe
contents, how long to wait on a TCP connection before dropping it, and
what kind of logging to use for the results.
The code is free for non-commercial use.
--spaf
