Firewalls: Simple Satan detector (was Re: GABRIEL )

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Simple Satan detector (was Re: GABRIEL )
From:	Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Date:	Fri, 7 Apr 1995 17:01:39 -0500
To:	firewalls @ greatcircle . com
In-reply-to:	<9504061352 . AA18509 @ isdaix . cabq . gov>

An adequate SATAN detector is just to alarm a few never used, but often
scanned ports. We've done this by putting a tcp process in inetd.conf
listening for a connection on tcpmux, rje, link, and supdup ports. Satan
and other scanners trip these ports. The process' only function is to
send out a syslog alarm to a secure station about the possible scan
attempt. It includes the source address of the machine sending the packet(s).
 If anybody's interested I've put the lines and the source in
ftp://ftp.eng.auburn.edu/pub/doug/satan

You can really stick it at any tcp port you want.

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug @
 eng .
 auburn .
 edu
		"Real programmers use cat > file.as"

References:

Re: GABRIEL
From: " (K. Lee Stark)" <stark @ cabq . gov>

Indexed By Date	Previous:	Re: The Software that ate Sunnyvale (was S attacks everywhere) From: z056716 @ uprc . com
Indexed By Date	Next:	Re: The Software that ate Sunnyvale (was S attacks everywhere) From: peterg @ airdata . com (Peter Gregory)
Indexed By Thread	Previous:	Re: GABRIEL From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Next:	Re: GABRIEL From: "Frank Byrum" <byrum @ vbv . dec . com>