> Detection can be done just like you'd do any other kind of detection. Looking > for sequential port scans is probably the wrong approach, and can get very > noisy. Rather, try deliberately setting up some known passive endpoints as > traps and monitor for any traffic to those. [Definition of an "endpoint" > left to the reader.] This is precisely what "scan-detector" does. See ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z