Need program to detect outgoing portscans from my network

Need program to detect outgoing portscans from my network

Post by mb0 » Wed, 10 Apr 2002 01:55:11



Hello all,

I need to be able to detect portscans from two servers on my subnet
(these servers are not administered by me, but I can sniff their
traffic)

I've tried snort with mixed results.

By default snort doesn't log scans from my net to external net (only
the other way around)

I tried changing the preprocessor portscan: to any and now I am able
to detect portscans from any machine on my subnet to the outside but
now even web browsing traffic is being picked up as portscans.

So any suggestions would be appreciated.

Thanks

 
 
 

Need program to detect outgoing portscans from my network

Post by RainbowHa » Wed, 10 Apr 2002 22:51:19


< mb0

Quote:>I need to be able to detect portscans from two servers on my subnet
>(these servers are not administered by me, but I can sniff their
>traffic)

>I've tried snort with mixed results.

>By default snort doesn't log scans from my net to external net (only
>the other way around)

>I tried changing the preprocessor portscan: to any and now I am able
>to detect portscans from any machine on my subnet to the outside but
>now even web browsing traffic is being picked up as portscans.

How about to change snort sniffing interface external to internal.
Or configure iptables to log internal interface packets.

--
Regards, RainbowHat. To spoof or not to spoof, that is the packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

 
 
 

1. How to setup firewall to allow outgoing portscans?

I would like, as root, to be able to do outgoing portscans..  My
firewall (using ipchains) made from the firewall cgi at
http://linux-firewall-tools.com is pretty strict about outgoing packets.

I currently have to take the firewall complete down to do a portscan,
and I don't much like that..  I'm still confused about ipchains rules,
can I add a rule at the bottom of the outgoing rules to allow packets
from my IP from any port to any port to any destination, temporarily, to
allow this?  Then I can remove that rule when I'm done.

Thanks!

--
Walter Francis
http://wally.hplx.net                      Powered by RedHat 6.0

2. IBM RS/6000 7006 (42T) and GXT500 Grafikadapter

3. detect portscanning !

4. Setting display and fonts

5. Detecting portscans in ipflog.

6. MCA

7. localhost portscan detects 2 randomly opened and closed ports - other hosts cannot see these open

8. Debian linux, modem works but...

9. Detect/Alert portscan HELP!!!!

10. Portscan detected from 192.168.100.100

11. REQ: Need a program that can detect scsi devices.

12. program to detect PPP idle and start another program

13. program to change source ip address of outgoing packets ?