I love my Snort, I really do. But sometimes, I just don't need all the extra overhead -- sometimes the resources on a server are somewhat, limited. Looking for a solution I stumbled upon PSAD , a way to detect port scans. Since port scans are often one of the first tactics used to find vulnerabilities on a server, it is a pretty good idea to detect them. Depending on the attack, I receive a nice little email telling me what is going on. To test it out I first fired up nmap, and received a few emails. Next I fired up nessus with updated plugins -- you can be the judge. I now have 50 emails from myself telling me somebody is doing something naughty:
=-=-=-=-=-=-=-=-=-=-=-= Tue Jan 23 10:30:04 2007 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [5] (out of 5) Multi-Protocol
Scanned tcp ports: [11-41111: 337 packets]
tcp flags: [SYN: 337 packets, Nmap: -sT or -sS]
iptables chain: INPUT, 337 packets
Source: 218.167.75.27
DNS: 218-167-75-27.dynamic.hinet.net
Destination: 64.79.194.165
DNS: kelvinism.com
Syslog hostname: kelvinism
Current interval: Tue Jan 23 10:29:54 2007 (start)
Tue Jan 23 10:30:04 2007 (end)
This entry is from my tech blog and was written on Jan. 23, 2007. It's been tagged with All Things Networking and Security and My Big Fat Server. There have been 0 comments so far.