diff options
Diffstat (limited to 'ipsd/README')
-rw-r--r-- | ipsd/README | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/ipsd/README b/ipsd/README new file mode 100644 index 0000000..eb6b798 --- /dev/null +++ b/ipsd/README @@ -0,0 +1,32 @@ + +IP Scan Detetor. +---------------- + +This program is designed to be a passive listener for TCP packets sent to +the host. It does not exercise the promiscous mode of interfaces. For +routing Unix boxes (and firewalls which route/proxy) this is sufficient to +detect all packets going to/through them. + +Upon compiling, a predefined set of "sensitive" ports are configured into +the program. Any TCP packets which are seen sent to these ports are counted +and the IP# of the sending host recorded, along with the time of the first +packet to that port for that IP#. + +After a given number of "hits", it will write the current table of packets +out to disk. This number defaults to 10,000. + +To analyze the information written to disk, a sample program called "ipsdr" +is used (should but doesn't implement a tree algorithm for storing data) +which reads all log files it recognises and totals up the number of ports +each host hit. By default, all ports have the same weighting (1). Another +group of passes is then made over this table using a netmask of 0xfffffffe, +grouping all results which fall under the same resulting IP#. This netmask +is then shrunk back to 0, with a output for each level given. This is aimed +at detecting port scans done from different hosts on the same subnet (although +I've not seen this done, if one was trying to do it obscurely...) + +Lastly, being passive means that no action is taken to stop port scans being +done or discourage them. + +Darren +darrenr@pobox.com |