Nmap Announce mailing list archives
Re: Followig the detection thread
From: Clifford Hammerschmidt <chammers () pim bc ca>
Date: Fri, 29 Jan 1999 11:50:07 -0800
Use abacus sentry, it'll detect FIN scans and run a script of your choosing passing the scanning IP as the first arg. At 11:39 AM 1/29/99 -0500, Lance Spitzner wrote:
Following the detection thread, one thing I've been playing with is having TCP wrappers listening on specific ports, then spawning various alert scripts when there is a connection (such as an alert email with src, dest, service and safe_finger). By listening on commonly scanned ports (smb,imap,telnet,portmapper, etc) I can quickly determine if a scan was conducted. By doing this on several servers, I can also quickly determine if the network was scanned. Of course, since I'm using TCP wrappers, it will not detect -sS or -sF scans. Not the ultimate soltion, but something I've been playing with and having good results. Lance
Current thread:
- Followig the detection thread Lance Spitzner (Jan 29)
- Re: Followig the detection thread Dave Dittrich (Jan 29)
- Re: Followig the detection thread Clifford Hammerschmidt (Jan 29)
- Re: Followig the detection thread Simple Nomad (Jan 29)
- Message not available
- Re: Followig the detection thread Jeremy Johnson (Jan 29)