Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/openwall/scanlogd

TCP port scan detection tool
https://github.com/openwall/scanlogd

detection ids libnids libpcap logging port scan scanning

Last synced: 2 months ago
JSON representation

TCP port scan detection tool

Awesome Lists containing this project

README 

        
scanlogd - detects and logs TCP port scans

==========================================



Description

-----------



scanlogd  detects  port  scans and writes one line per scan via the syslog(3)

mechanism.  If a source address sends multiple packets to different ports  in

a short time, the event will be logged.  The format of the messages is:



saddr[:sport]  to daddr [and others,] ports port[, port...], ..., flags[, TOS TOS][, TTL TTL] @HH:MM:SS



The fields in square brackets are optional; sport, TOS, and TTL will only  be

displayed if they were constant during the scan.



The  flags  field  represents  TCP control bits seen in packets coming to the

system from the address of the scan.  It is a combination  of  eight  charac-

ters,  with each corresponding to one of the six defined and two reserved TCP

control bits (see RFC 793).  Control bits that were always  set  are  encoded

with  an  uppercase  letter,  and  a  lowercase letter is used if the bit was

always clear.  A question mark is used to indicate  bits  that  changed  from

packet to packet.



Interfaces

----------



In  order  to  do its job, scanlogd needs a way to obtain raw IP packets that

either come to the system scanlogd is running on, or travel across a  network

segment  that is directly connected to the system.  Current versions of scan-

logd can be built with support for one of several packet capture interfaces.



scanlogd is aware of the raw socket interface on Linux, libnids, and libpcap.



The use of libpcap alone is discouraged.  If you're on a  system  other  than

Linux  and/or  want  to monitor the traffic of an entire network at once, you

should be using libnids in order to handle fragmented IP packets.



Compile-time defaults

---------------------



At least 7 different privileged or 21 non-privileged  ports,  or  a  weighted

combination  of  those,  have  to  be  accessed with no longer than 3 seconds

between the accesses to be treated as a scan.   If  more  than  5  scans  are

detected  within  20  seconds,  that event will be logged and logging will be

stopped temporarily.



Logging is done with a facility of daemon and a priority level alert.



scanlogd should be started as root since it needs access to a packet  capture

interface.   By  default, it chroots to /var/empty and switches to running as

user scanlogd after the packet capture interface is initialized.



Exit status

-----------



If the daemon couldn't start up successfully, it will exit with a status of 1.



Usage

-----



You're expected to create a dummy user for scanlogd to run as.  Make sure you

allocate unique UID and GID to the user.



In most cases, scanlogd should be  started  from  a  rc.d  script  on  system

startup.



In /etc/syslog.conf you may use something like:



daemon.alert   /var/log/alert



Security notes

--------------



As  the  name  indicates, scanlogd only logs port scans.  It does not prevent

them.  You will only receive summarized information in the system's log.



Obviously, the source address of port scans can be spoofed.  Don't  take  any

action  against  the  source  of  attacks unless other evidence is available.

Sometimes IP addresses are shared between many people; this is the  case  for

ISP  shell  servers,  dynamic dialup pools, and corporate networks behind NAT

(masquerading).



Due to the nature of port scans, both false positives (detecting a scan  when

there  isn't one) and false negatives (not detecting a scan when there's one)

are possible.  In particular, false positives occur when many small files are

transferred rapidly with passive mode FTP.