README
1
2IP Scan Detetor.
3----------------
4
5This program is designed to be a passive listener for TCP packets sent to
6the host. It does not exercise the promiscous mode of interfaces. For
7routing Unix boxes (and firewalls which route/proxy) this is sufficient to
8detect all packets going to/through them.
9
10Upon compiling, a predefined set of "sensitive" ports are configured into
11the program. Any TCP packets which are seen sent to these ports are counted
12and the IP# of the sending host recorded, along with the time of the first
13packet to that port for that IP#.
14
15After a given number of "hits", it will write the current table of packets
16out to disk. This number defaults to 10,000.
17
18To analyze the information written to disk, a sample program called "ipsdr"
19is used (should but doesn't implement a tree algorithm for storing data)
20which reads all log files it recognises and totals up the number of ports
21each host hit. By default, all ports have the same weighting (1). Another
22group of passes is then made over this table using a netmask of 0xfffffffe,
23grouping all results which fall under the same resulting IP#. This netmask
24is then shrunk back to 0, with a output for each level given. This is aimed
25at detecting port scans done from different hosts on the same subnet (although
26I've not seen this done, if one was trying to do it obscurely...)
27
28Lastly, being passive means that no action is taken to stop port scans being
29done or discourage them.
30
31Darren
32darrenr@pobox.com
33