Port scan detection tool released

Gene Spafford (spaf@cs.purdue.edu)
Sat, 3 Jun 1995 13:34:33 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mansour Esmaili: "Win 95"
Previous message: Aziz MOUNJI: "IDS conferences"

Christoph Schuba (one of the senior students in the COAST Lab) and I have 
written a small program in Perl v5 to detect port scans.  You can run this on 
a host and designate a set of ports to monitor, both TCP and UDP.  Whatever is 
sent to the port (up to a threshold number of bytes) is logged in sanitized 
form.  This can be helpful in detecting if someone is probing your system, 
whether manually or using something like ISS or SATAN.  It may have some 
debugging applications, too.

There are options to log to syslog or to stderr.  You can choose the ports you 
want to monitor.  You can specify if you want to use the ident/authd protocol 
to attempt to identify the party on the other end of a TCP connection.  You 
can specify a timeout after which the connection is dropped.  You can specify 
the levels and class of syslog message, as well as the log host to use.  Some 
other options exist (see the manual page).

Sun Microsystems is the only vendor to be a COAST sponsor.  That may explain 
why we have lots of Sun machines and none from anyone else :-)   So, other 
than SunOS and Solaris, we can't be 100% certain how this behaves.  However, 
we tried to write in portable Perl5, so we expect this to work without problem 
on many other systems.  We'd like to hear about any exceptions.

Comments, questions, bug reports, ehancements, and so on can be directed to 
Christoph and myself at <scan-detector@cs.purdue.edu>.

 Copies of the code, including a PGP signature file, may be found at:
   http://www.cs.purdue.edu/coast/coast-tools.html#tools
   ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z

Cheers,
--spaf

Next message: Mansour Esmaili: "Win 95"
Previous message: Aziz MOUNJI: "IDS conferences"