{"id":20135976,"url":"https://github.com/openwall/scanlogd","last_synced_at":"2025-04-09T17:33:44.134Z","repository":{"id":54002897,"uuid":"328803350","full_name":"openwall/scanlogd","owner":"openwall","description":"TCP port scan detection tool","archived":false,"fork":false,"pushed_at":"2022-05-28T14:07:43.000Z","size":108,"stargazers_count":59,"open_issues_count":2,"forks_count":13,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-23T19:39:16.000Z","etag":null,"topics":["detection","ids","libnids","libpcap","logging","port","scan","scanning"],"latest_commit_sha":null,"homepage":"https://www.openwall.com/scanlogd/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openwall.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-11T22:06:49.000Z","updated_at":"2025-02-14T03:58:03.000Z","dependencies_parsed_at":"2022-08-13T06:00:19.188Z","dependency_job_id":null,"html_url":"https://github.com/openwall/scanlogd","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fscanlogd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fscanlogd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fscanlogd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openwall%2Fscanlogd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openwall","download_url":"https://codeload.github.com/openwall/scanlogd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248077711,"owners_count":21044010,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detection","ids","libnids","libpcap","logging","port","scan","scanning"],"created_at":"2024-11-13T21:17:12.833Z","updated_at":"2025-04-09T17:33:43.773Z","avatar_url":"https://github.com/openwall.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"scanlogd - detects and logs TCP port scans\n==========================================\n\nDescription\n-----------\n\nscanlogd  detects  port  scans and writes one line per scan via the syslog(3)\nmechanism.  If a source address sends multiple packets to different ports  in\na short time, the event will be logged.  The format of the messages is:\n\nsaddr[:sport]  to daddr [and others,] ports port[, port...], ..., flags[, TOS TOS][, TTL TTL] @HH:MM:SS\n\nThe fields in square brackets are optional; sport, TOS, and TTL will only  be\ndisplayed if they were constant during the scan.\n\nThe  flags  field  represents  TCP control bits seen in packets coming to the\nsystem from the address of the scan.  It is a combination  of  eight  charac-\nters,  with each corresponding to one of the six defined and two reserved TCP\ncontrol bits (see RFC 793).  Control bits that were always  set  are  encoded\nwith  an  uppercase  letter,  and  a  lowercase letter is used if the bit was\nalways clear.  A question mark is used to indicate  bits  that  changed  from\npacket to packet.\n\nInterfaces\n----------\n\nIn  order  to  do its job, scanlogd needs a way to obtain raw IP packets that\neither come to the system scanlogd is running on, or travel across a  network\nsegment  that is directly connected to the system.  Current versions of scan-\nlogd can be built with support for one of several packet capture interfaces.\n\nscanlogd is aware of the raw socket interface on Linux, libnids, and libpcap.\n\nThe use of libpcap alone is discouraged.  If you're on a  system  other  than\nLinux  and/or  want  to monitor the traffic of an entire network at once, you\nshould be using libnids in order to handle fragmented IP packets.\n\nCompile-time defaults\n---------------------\n\nAt least 7 different privileged or 21 non-privileged  ports,  or  a  weighted\ncombination  of  those,  have  to  be  accessed with no longer than 3 seconds\nbetween the accesses to be treated as a scan.   If  more  than  5  scans  are\ndetected  within  20  seconds,  that event will be logged and logging will be\nstopped temporarily.\n\nLogging is done with a facility of daemon and a priority level alert.\n\nscanlogd should be started as root since it needs access to a packet  capture\ninterface.   By  default, it chroots to /var/empty and switches to running as\nuser scanlogd after the packet capture interface is initialized.\n\nExit status\n-----------\n\nIf the daemon couldn't start up successfully, it will exit with a status of 1.\n\nUsage\n-----\n\nYou're expected to create a dummy user for scanlogd to run as.  Make sure you\nallocate unique UID and GID to the user.\n\nIn most cases, scanlogd should be  started  from  a  rc.d  script  on  system\nstartup.\n\nIn /etc/syslog.conf you may use something like:\n\ndaemon.alert   /var/log/alert\n\nSecurity notes\n--------------\n\nAs  the  name  indicates, scanlogd only logs port scans.  It does not prevent\nthem.  You will only receive summarized information in the system's log.\n\nObviously, the source address of port scans can be spoofed.  Don't  take  any\naction  against  the  source  of  attacks unless other evidence is available.\nSometimes IP addresses are shared between many people; this is the  case  for\nISP  shell  servers,  dynamic dialup pools, and corporate networks behind NAT\n(masquerading).\n\nDue to the nature of port scans, both false positives (detecting a scan  when\nthere  isn't one) and false negatives (not detecting a scan when there's one)\nare possible.  In particular, false positives occur when many small files are\ntransferred rapidly with passive mode FTP.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenwall%2Fscanlogd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenwall%2Fscanlogd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenwall%2Fscanlogd/lists"}