Import IP Filter v3.1.7 into FreeBSD tree

1 files changed, 32 insertions, 0 deletions

diff --git a/contrib/ipfilter/ipsd/README b/contrib/ipfilter/ipsd/README
new file mode 100644
index 0000000..6746d01
--- /dev/null
+++ b/contrib/ipfilter/ipsd/README
@@ -0,0 +1,32 @@
+
+IP Scan Detetor.
+----------------
+
+This program is designed to be a passive listener for TCP packets sent to
+the host.  It does not exercise the promiscous mode of interfaces.  For
+routing Unix boxes (and firewalls which route/proxy) this is sufficient to
+detect all packets going to/through them.
+
+Upon compiling, a predefined set of "sensitive" ports are configured into
+the program.  Any TCP packets which are seen sent to these ports are counted
+and the IP# of the sending host recorded, along with the time of the first
+packet to that port for that IP#.
+
+After a given number of "hits", it will write the current table of packets
+out to disk.  This number defaults to 10,000.
+
+To analyze the information written to disk, a sample program called "ipsdr"
+is used (should but doesn't implement a tree algorithm for storing data)
+which  reads all log files it recognises and totals up the number of ports
+each host hit.  By default, all ports have the same weighting (1).  Another
+group of passes is then made over this table using a netmask of 0xfffffffe,
+grouping all results which fall under the same resulting IP#.  This netmask
+is then shrunk back to 0, with a output for each level given.  This is aimed
+at detecting port scans done from different hosts on the same subnet (although
+I've not seen this done, if one was trying to do it obscurely...)
+
+Lastly, being passive means that no action is taken to stop port scans being
+done or discourage them.
+
+Darren
+darrenr@cyber.com.au