Scandetd do not listen to specific port - it uses
raw socket. Scandetd's aim is to inform via syslog or email - it will never block
any IP via tcpwrapper or firewall rules. IMHO such behaviour can lead to
All connections are logged via syslogd (SyslogFacility option) if
you tell program to do so (LogConnections option).
Standard log entry looks like this:
scandetd: port 21 connection attempt from 127.0.0.1
If more details is needed than LogDetails option should be
set to 'yes'. Then log entry looks like this:
scandetd: TCP 126.96.36.199(1022) -> 188.8.131.52(22)
Scans or OS probes can be logged too. In case of OS probe log entry is:
scandetd: Possible queso OS probe from 184.108.40.206
If port scan had been detected then log entry looks like this:
Possible port scan from 220.127.116.11 to 18.104.22.168
In a configuration file there is a bunch of options that tell
program to ignore certains source and destination IP addresses or
source and destination ports. For example configuration entry:
HostScanIgnore 192.168.1.0/24:1-1024 -> 192.168.1.1:1024-65535
describes that all connections from 192.168.1.x (with source port
between 1-1024) to 192.168.1.1 (on port 1024-65535) should be ignored
by internal routines that are responsible for scan detection.
If you enable some options in a configuration file then program
can send emails to system administrator.
Following options are related to email warnings :
SendEmail - whether send email about TCP scan
UdpSendEmail - whether send email about UDP scan
MailFrom - Envelope's "From:"
RcptTo - email recipient
MailSubject - mail subject can be composed using special characters:
%p - protocol, %s - source IP, %d - destination IP
SMTPrelay - IP of the host that is able to send a message
MailPort - mail port (usually just 25)
HelloMsg - Argument for HELO command
In case of TCP or UDP scan email contains following informations:
IP address of a scanning host
number of connections made
first and last connection port and time
guessed type of scan (SYN or FIN)
In case of OS fingerprinting probe email contains following informations:
IP address of an attacker
guessed name of the program used by an attacker (nmap or queso)
number of counted packets
TCP flags set in counted packets:
f - FIN flag was set
sx - SYN and seventh bit in flag field was set
null - flag field in TCP packet was zero
fspu - FIN SYN PUSH URGENT
fpu - FIN PUSH URGENT
sxy - SYN, seventh and eighth bit were set
How does it work
If some host tries to establish TCP connection scandetd rememebers
it's IP address. If next connection from the same host is right after the previous
one then internal counter (associated with each IP number) is increased.
If counter reaches some value (CountThreshold option) scandetd
will send email to administrator.
To test the program you have to simulate at least one port scan.
If you want to test scandetd it's good idea to use
program I wrote for this purpose: spoofs (spoof scan).
You don't even have to have internet connection.
Spoofs can emulate port scanning as is it was done from any IP number you
spoofs -s source_IP -d dest_IP -p low-high
for example: spoofs -s 22.214.171.124 -d 126.96.36.199 -p 3-200
perform false scanning 188.8.131.52's ports from 3 to 200
Note: Please use spoofs for educational purpose only.
Do not use this software to annoy somebody
Spoofs was tested only under linux.
Back to home page