Re: BoS: IP Port Scan Detector.

[mcn () EnGarde com (Mike Neuman)]

Three things:

> Darren Reed <avalon () coombs anu edu au> wrote:
> It doesn't look for Stealth Scans by their signiture (half-open connections
> and using ACKs, etc), but just registers all packets sent to a select
> number of ports.  The higher the number of ports `hit' by a given host,
> the higher its score for probability of having done a port scan.

1) I haven't looked at the code, but it would seem a couple things were
significant in this approach:
   - What happens if a firewall is blocking some of the "sensitive" ports?
     (e.g. ports 1-100 but not 23 get scanned)
   - Time would seem to be significant. (e.g. What if I scan a new port every 5
     minutes (or whatever)) And if the timing is too small, a busy server
     will most likely get flagged as being scanned.

2) You didn't mention if your half-open port scanner was available. I wrote
one a long time ago which is freely available. If anyone would like to grab a
copy of it, you can find it in the intrusion section of my home page. It only
runs under SunOS 4.x, but it's basically just a proof of concept. :-)

   http://www.engarde.com/~mcn

3) Are firewall logging packages vulnerable to this? (ie. Does the firewall
only log/alert on the existance of a fully established connection, or merely
on the first SYN?)

-Mike
mcn () EnGarde com