122514Sdarrenr 222514SdarrenrIP Scan Detetor. 322514Sdarrenr---------------- 422514Sdarrenr 522514SdarrenrThis program is designed to be a passive listener for TCP packets sent to 622514Sdarrenrthe host. It does not exercise the promiscous mode of interfaces. For 722514Sdarrenrrouting Unix boxes (and firewalls which route/proxy) this is sufficient to 822514Sdarrenrdetect all packets going to/through them. 922514Sdarrenr 1022514SdarrenrUpon compiling, a predefined set of "sensitive" ports are configured into 1122514Sdarrenrthe program. Any TCP packets which are seen sent to these ports are counted 1222514Sdarrenrand the IP# of the sending host recorded, along with the time of the first 1322514Sdarrenrpacket to that port for that IP#. 1422514Sdarrenr 1522514SdarrenrAfter a given number of "hits", it will write the current table of packets 1622514Sdarrenrout to disk. This number defaults to 10,000. 1722514Sdarrenr 1822514SdarrenrTo analyze the information written to disk, a sample program called "ipsdr" 1922514Sdarrenris used (should but doesn't implement a tree algorithm for storing data) 2022514Sdarrenrwhich reads all log files it recognises and totals up the number of ports 2122514Sdarrenreach host hit. By default, all ports have the same weighting (1). Another 2222514Sdarrenrgroup of passes is then made over this table using a netmask of 0xfffffffe, 2322514Sdarrenrgrouping all results which fall under the same resulting IP#. This netmask 2422514Sdarrenris then shrunk back to 0, with a output for each level given. This is aimed 2522514Sdarrenrat detecting port scans done from different hosts on the same subnet (although 2622514SdarrenrI've not seen this done, if one was trying to do it obscurely...) 2722514Sdarrenr 2822514SdarrenrLastly, being passive means that no action is taken to stop port scans being 2922514Sdarrenrdone or discourage them. 3022514Sdarrenr 3122514SdarrenrDarren 3237074Speterdarrenr@pobox.com 33