=-=-=-=-=-=-=-=-=-=-=-= Tue Jan 23 10:30:04 2007 =-=-=-=-=-=-=-=-=-=-=-= Danger level: [5] (out of 5) Multi-Protocol Scanned tcp ports: [11-41111: 337 packets] tcp flags: [SYN: 337 packets, Nmap: -sT or -sS] iptables chain: INPUT, 337 packets Source: 218.167.75.27 DNS: 218-167-75-27.dynamic.hinet.net Destination: 64.79.194.165 DNS: kelvinism.com Syslog hostname: kelvinism Current interval: Tue Jan 23 10:29:54 2007 (start) Tue Jan 23 10:30:04 2007 (end)
Lightweight Detection
Published on Tuesday, January 23, 2007
I love my Snort, I really do. But sometimes, I just don't need all the extra overhead -- sometimes the resources on a server are somewhat, limited. Looking for a solution I stumbled upon PSAD , a way to detect port scans. Since port scans are often one of the first tactics used to find vulnerabilities on a server, it is a pretty good idea to detect them. Depending on the attack, I receive a nice little email telling me what is going on. To test it out I first fired up nmap, and received a few emails. Next I fired up nessus with updated plugins -- you can be the judge. I now have 50 emails from myself telling me somebody is doing something naughty: