diff options
Diffstat (limited to 'contrib/ipfilter/ipsd/README')
-rw-r--r-- | contrib/ipfilter/ipsd/README | 32 |
1 files changed, 0 insertions, 32 deletions
diff --git a/contrib/ipfilter/ipsd/README b/contrib/ipfilter/ipsd/README deleted file mode 100644 index eb6b798..0000000 --- a/contrib/ipfilter/ipsd/README +++ /dev/null @@ -1,32 +0,0 @@ - -IP Scan Detetor. ----------------- - -This program is designed to be a passive listener for TCP packets sent to -the host. It does not exercise the promiscous mode of interfaces. For -routing Unix boxes (and firewalls which route/proxy) this is sufficient to -detect all packets going to/through them. - -Upon compiling, a predefined set of "sensitive" ports are configured into -the program. Any TCP packets which are seen sent to these ports are counted -and the IP# of the sending host recorded, along with the time of the first -packet to that port for that IP#. - -After a given number of "hits", it will write the current table of packets -out to disk. This number defaults to 10,000. - -To analyze the information written to disk, a sample program called "ipsdr" -is used (should but doesn't implement a tree algorithm for storing data) -which reads all log files it recognises and totals up the number of ports -each host hit. By default, all ports have the same weighting (1). Another -group of passes is then made over this table using a netmask of 0xfffffffe, -grouping all results which fall under the same resulting IP#. This netmask -is then shrunk back to 0, with a output for each level given. This is aimed -at detecting port scans done from different hosts on the same subnet (although -I've not seen this done, if one was trying to do it obscurely...) - -Lastly, being passive means that no action is taken to stop port scans being -done or discourage them. - -Darren -darrenr@pobox.com |