A lot of people report system crashes from Satan's heavy scan mode.
These people obviously never ran any port scanners against the machines in
question before, although maybe they should have. Port scanning is no-brainer
technology that has been around for years, and yet NOW they're complaining.
I guess the implementors of the offending TCP stacks never ran this sort of
brute-test against it themselves, either. Need I point out that this isn't
SATAN's fault?! You would think that years of "bakeoffs" would have made
most TCP stacks immune to this sort of thing.
Ob-firewalls: A large organization may have internal users who try to bypass
a "low port diode" packet filter by hanging TCP services off "high" ports. An
alternative to running frequent active tests over a large internal network to
try and find these things is to simply monitor at the choke point for outbound
ACK SYN, which indicates an ANSWERED TCP connection. After valid FTP-data
connections are suppressed, use of such "backdoor" services will simply be
caught by the astute log-reader. The log-reader can then go test a much
smaller set of host/port pairs using this list, to see what they are, and
present the findings to the offending humans.
An expression like
tcp ( tcp & 0xFF = 0x12 ) and ( not dst net x.y.0.0 )
plugged into tcpdump or snoop should do the trick. Add "not dst port 20"
if you want to filter out the ftp-data stuff on the fly. Then just sit back
and wait for the internal people to "try it".
See Gabriel and Courtney for more niftoid examples of tcpdump expressions.
[They're a great couple, eh? Better than Muffy and B1ff.]