Christoph Schuba (one of the senior students in the COAST Lab) and I have written a small program in Perl v5 to detect port scans. You can run this on a host and designate a set of ports to monitor, both TCP and UDP. Whatever is sent to the port (up to a threshold number of bytes) is logged in sanitized form. This can be helpful in detecting if someone is probing your system, whether manually or using something like ISS or SATAN. It may have some debugging applications, too. There are options to log to syslog or to stderr. You can choose the ports you want to monitor. You can specify if you want to use the ident/authd protocol to attempt to identify the party on the other end of a TCP connection. You can specify a timeout after which the connection is dropped. You can specify the levels and class of syslog message, as well as the log host to use. Some other options exist (see the manual page). Sun Microsystems is the only vendor to be a COAST sponsor. That may explain why we have lots of Sun machines and none from anyone else :-) So, other than SunOS and Solaris, we can't be 100% certain how this behaves. However, we tried to write in portable Perl5, so we expect this to work without problem on many other systems. We'd like to hear about any exceptions. Comments, questions, bug reports, ehancements, and so on can be directed to Christoph and myself at <scan-detector@cs.purdue.edu>. Copies of the code, including a PGP signature file, may be found at: http://www.cs.purdue.edu/coast/coast-tools.html#tools ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z Cheers, --spaf