Nmap Announce mailing list archives

Re: Followig the detection thread

From: Simple Nomad <thegnome () nmrc org>
Date: Fri, 29 Jan 1999 14:26:18 -0600 (CST)

On Fri, 29 Jan 1999, Lance Spitzner wrote:

Following the detection thread, one thing I've been playing with is
having TCP wrappers listening on specific ports, then spawning
various alert scripts when there is a connection (such as an alert
email with src, dest, service and safe_finger).  By listening
on commonly scanned ports (smb,imap,telnet,portmapper, etc) I can
quickly determine if a scan was conducted.  By doing this on several
servers, I can also quickly determine if the network was scanned.

Of course, since I'm using TCP wrappers, it will not detect -sS or
-sF scans.  Not the ultimate soltion, but something I've been 
playing with and having good results.  

Lance


Take a look at http://www.nmrc.org/nmrcOS/ and in particular the "tweaks"
section. I've adapted Jesse Off's Linux kernel patch so it detects all of
the TCP scans that nmap does and logs them. It does a few other things
like drop any non-SYN that has nothing to do with an existing TCP
connection, so even LONG scans such as a single TCP port a day won't work.
This means a standard regular SYN must be used to determine an open TCP
port, and at that point TCP wrappers can handle things.

There are problems if you are using this on a Linux box doing masquerading
or NAT, and unless you love big logs I wouldn't turn on the TCP auditing
stuff on a popular web or mail server.

Obviously using something like swatch to scrape syslog could be used with
this patch to do some of the detection stuff, like detecting a remote OS
or whatever.

The patch is considered beta -- it has a number of things included in it
like Solar Designer's secure-linux patch so it is quite useful -- and
requires 2.0.36, along with Route's libnet and pingd. The patch itself is
available via http://www.nmrc.org/files/sunix/nmrcOS.patch.tar.gz. 

    Simple Nomad    //  "When viewed as a metaphor for the human
 thegnome () nmrc org  //    condition, the humble GNU C compiler
    www.nmrc.org    //         becomes an endless enigma."

Current thread:

Followig the detection thread Lance Spitzner (Jan 29)
- Re: Followig the detection thread Dave Dittrich (Jan 29)
- Re: Followig the detection thread Clifford Hammerschmidt (Jan 29)
- Re: Followig the detection thread Simple Nomad (Jan 29)
- Message not available
  - Re: Followig the detection thread Jeremy Johnson (Jan 29)