Scandetd do not listen to specific port - it uses raw socket. Scandetd's aim is to inform via syslog or email - it will never block any IP via tcpwrapper or firewall rules. IMHO such behaviour can lead to DOS attacks

Logging

All connections are logged via syslogd (SyslogFacility option) if you tell program to do so (LogConnections option). Standard log entry looks like this:

scandetd: port 21 connection attempt from 127.0.0.1

If more details is needed than LogDetails option should be set to 'yes'. Then log entry looks like this:

scandetd: TCP 149.156.208.142(1022) -> 149.156.208.100(22)

Scans or OS probes can be logged too. In case of OS probe log entry is:

scandetd: Possible queso OS probe from 149.156.208.142

If port scan had been detected then log entry looks like this:

Possible port scan from 149.156.208.100 to 149.156.208.100

In a configuration file there is a bunch of options that tell program to ignore certains source and destination IP addresses or source and destination ports. For example configuration entry:

HostScanIgnore 192.168.1.0/24:1-1024 -> 192.168.1.1:1024-65535

describes that all connections from 192.168.1.x (with source port between 1-1024) to 192.168.1.1 (on port 1024-65535) should be ignored by internal routines that are responsible for scan detection.

Sending emails

If you enable some options in a configuration file then program can send emails to system administrator. Following options are related to email warnings :

  • SendEmail - whether send email about TCP scan
  • UdpSendEmail - whether send email about UDP scan
  • MailFrom - Envelope's "From:"
  • RcptTo - email recipient
  • MailSubject - mail subject can be composed using special characters: %p - protocol, %s - source IP, %d - destination IP
  • SMTPrelay - IP of the host that is able to send a message
  • MailPort - mail port (usually just 25)
  • HelloMsg - Argument for HELO command

    • In case of TCP or UDP scan email contains following informations:
  • time
  • IP address of a scanning host
  • number of connections made
  • first and last connection port and time
  • guessed type of scan (SYN or FIN)

    • In case of OS fingerprinting probe email contains following informations:
  • IP address of an attacker
  • guessed name of the program used by an attacker (nmap or queso)
  • event time
  • number of counted packets
  • TCP flags set in counted packets: f - FIN flag was set
    sx - SYN and seventh bit in flag field was set
    null - flag field in TCP packet was zero
    fspu - FIN SYN PUSH URGENT
    fpu - FIN PUSH URGENT sxy - SYN, seventh and eighth bit were set

    • How does it work

    If some host tries to establish TCP connection scandetd rememebers it's IP address. If next connection from the same host is right after the previous one then internal counter (associated with each IP number) is increased. If counter reaches some value (CountThreshold option) scandetd will send email to administrator.
    To test the program you have to simulate at least one port scan.

    Testing

    If you want to test scandetd it's good idea to use program I wrote for this purpose: spoofs (spoof scan). You don't even have to have internet connection. Spoofs can emulate port scanning as is it was done from any IP number you choose.
    Spoofs usage:
    spoofs -s source_IP -d dest_IP -p low-high
    for example: spoofs -s 1.2.3.4 -d 149.156.208.143 -p 3-200
    perform false scanning 149.156.208.143's ports from 3 to 200

    Download spoofs

    Note: Please use spoofs for educational purpose only. Do not use this software to annoy somebody

    Spoofs was tested only under linux.

    source: spoofs-0.6.tar.gz

    Back to home page