If some host tries to establish TCP connection scandetd rememebers
it's IP address. If next connection from the same host is right after the previous
one (time limit is set to 1 sec and I'm going to change time resolution)
internal counter (associated with each IP number) is increased.
If counter reaches some value (which can be changed in #define) scandetd
will send email to administrator.
To test the program you have to simulate at least one port scan.
Testing
If you want to test scandetd it's good idea to use
program I wrote for this purpose: spoofs (spoof scan).
You don't even have to have internet connection.
Spoofs can emulate port scanning as is it was done from any IP number you
choose.
Spoofs usage:
spoofs -s source_IP -d dest_IP -p low-high
for example: spoofs -s 1.2.3.4 -d 149.156.208.143 -p 3-200
perform false scanning 149.156.208.143's ports from 3 to 200
This is the simplest way to test scandetd:
if you aren't running sendmail (or any other MTA) compile scandetd with
-DDOSYSLOG and -DLOGCON to see actions in the system logs
use spoofs (ie. spoofs -s 1.1.1.1 -d 127.0.0.1 -p 1-60)
Download spoofs
Note: Please use spoofs for educational purpose only.
Do not use this software to annoy somebody
