Security Links |
- Sources & Tools
Scanlogd v2.1 is a TCP port scan detection tool for linux, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article. It is designed to be safe to use, and will recognize all of the latest nmap scans. HTML man page available here. Changes: Support for Libnids 1.14, bug fixes. For more information, here. By Solar Designer.
Watches for TCP connection, records state for the past 1 second - if multiple connections occur from the same host, an internal counter is increased for that IP. If the counter reaches some value (which can be changed in #define) scandetd will send email to administrator. Information sent includes time, ip address, number of connections made, first and last connection times, and guessed type of scan (syn/fin). Logs to syslog by default. Configurable to allow trusted addresses. Tested under linux - possibly sunos and freebsd.
Port scan detector that takes an active stance to shut down attacking hosts while notifying administrators and provides an easy configuration and startup. Attacking hosts are denied access to your host by dropping of local routes or adding the host to a TCP Wrappers hosts.deny file, all in real-time. Even picks up stealth scans. Freeware from Cisco/Wheelgroup coders.
Port Scan Attack Detector (psad) is a perl program that is designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Changes: Whois lookups against scanning IPs were added. An uninstall option was added to install.pl. A bug in the 'stop' routine in psad-init was fixed. A bug in the syslog restart system call in install.pl was fixed. For more information, here.
HackerProof. All rights reserved.
. Total 3085