Followig the detection thread

[Lance Spitzner <spitzner () dimension net>]

Following the detection thread, one thing I've been playing with is
having TCP wrappers listening on specific ports, then spawning
various alert scripts when there is a connection (such as an alert
email with src, dest, service and safe_finger).  By listening
on commonly scanned ports (smb,imap,telnet,portmapper, etc) I can
quickly determine if a scan was conducted.  By doing this on several
servers, I can also quickly determine if the network was scanned.

Of course, since I'm using TCP wrappers, it will not detect -sS or
-sF scans.  Not the ultimate soltion, but something I've been 
playing with and having good results.  

Lance