Nmap Announce mailing list archives

Re: Followig the detection thread

From: Clifford Hammerschmidt <chammers () pim bc ca>
Date: Fri, 29 Jan 1999 11:50:07 -0800


Use abacus sentry, it'll detect FIN scans and run a script of your choosing
passing the scanning IP as the first arg.

At 11:39 AM 1/29/99 -0500, Lance Spitzner wrote:

Following the detection thread, one thing I've been playing with is
having TCP wrappers listening on specific ports, then spawning
various alert scripts when there is a connection (such as an alert
email with src, dest, service and safe_finger).  By listening
on commonly scanned ports (smb,imap,telnet,portmapper, etc) I can
quickly determine if a scan was conducted.  By doing this on several
servers, I can also quickly determine if the network was scanned.

Of course, since I'm using TCP wrappers, it will not detect -sS or
-sF scans.  Not the ultimate soltion, but something I've been 
playing with and having good results.  

Lance

Current thread:

Followig the detection thread Lance Spitzner (Jan 29)
- Re: Followig the detection thread Dave Dittrich (Jan 29)
- Re: Followig the detection thread Clifford Hammerschmidt (Jan 29)
- Re: Followig the detection thread Simple Nomad (Jan 29)
- Message not available
  - Re: Followig the detection thread Jeremy Johnson (Jan 29)