10SN/A 29330SN/AIP Scan Detetor. 30SN/A---------------- 40SN/A 50SN/AThis program is designed to be a passive listener for TCP packets sent to 60SN/Athe host. It does not exercise the promiscous mode of interfaces. For 72362SN/Arouting Unix boxes (and firewalls which route/proxy) this is sufficient to 80SN/Adetect all packets going to/through them. 92362SN/A 100SN/AUpon compiling, a predefined set of "sensitive" ports are configured into 110SN/Athe program. Any TCP packets which are seen sent to these ports are counted 120SN/Aand the IP# of the sending host recorded, along with the time of the first 130SN/Apacket to that port for that IP#. 140SN/A 150SN/AAfter a given number of "hits", it will write the current table of packets 160SN/Aout to disk. This number defaults to 10,000. 170SN/A 180SN/ATo analyze the information written to disk, a sample program called "ipsdr" 190SN/Ais used (should but doesn't implement a tree algorithm for storing data) 200SN/Awhich reads all log files it recognises and totals up the number of ports 212362SN/Aeach host hit. By default, all ports have the same weighting (1). Another 222362SN/Agroup of passes is then made over this table using a netmask of 0xfffffffe, 232362SN/Agrouping all results which fall under the same resulting IP#. This netmask 240SN/Ais then shrunk back to 0, with a output for each level given. This is aimed 250SN/Aat detecting port scans done from different hosts on the same subnet (although 260SN/AI've not seen this done, if one was trying to do it obscurely...) 270SN/A 281490SN/ALastly, being passive means that no action is taken to stop port scans being 291490SN/Adone or discourage them. 301490SN/A 311490SN/ADarren 321490SN/Adarrenr@pobox.com 331490SN/A