Like many system administrators, paranoia comes as a sixth sense. They don't like their networks prodded or probed by outsiders; this would be like bursting in their office while they are taking their coffee and groping them. So, after having my fun with nmap-2.00, I decided to conjure something that will monitor for this type of network reconnaissance. The monitor works with tcpdump, and perl provides flexibilty. Feel free to improve on it, and mail me a copy. You must provide the network to monitor and ports to exclude and you can also add filters for larger networks. Here are a few suspicious packets it looks out for, with added features you can read about and grab the source at http://www.pgci.ca/syn.html icmp packets (you can add filters), udp packets (same) , TCP packets with no ACK , Fragmented IP packets, IP packets with options, Packets with X.X.X.255 destination, Packets with X.X.X.0 destination. Cheers, -- Patrick Gilbert PGCI Inc. http://www.pgci.ca Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:10 PDT