* Jan Hildebrandt wrote on Wed, Apr 26, 2000 at 13:37 +0000:
Yes the victim can detect such scans(see below).
Not in every case :-(
That means AFIAK: there's no technical possiblity for a solution. You could do a very "slow" scan (i.e. a single port a day) which wouldn't be detected by a IDS system, since you would get lot's of false positives.
Yes, the package scanlogd i guess it's in series "sec".
As far as I know scanlogd is a relatively simple program that doesn't help much.
I got some helpful hints already.
I've never seen a scanlogd warning (on our own server, of course) when trying nmap scans.
Maybe you're useing a firewall that blocks that scans? Which default behaivior (compile-time configuration) scanlogd looks on packets to the host only. You may compile it useing libpcap and enable the promiscuous mode, and install scanlogd on a "own" machine which is not running a firewall. It's not simple to configure scanlogd to match _your_ requirements of course.
And there were quite a few postings on this list that reported false scanlogd alarms (during normal FTP sessions etc.).
It's a "good" practise to use FTP data port as source for TCP scans. The onliest possibility is to watch the FTP logins. But this would open your system for "FTP-bounce scans" (AFAIK), you wouldn't detect them. So I prefer false positives ;)
scanlogd logs a warning if there are many simple connects to a range of ports with ascending numbers (I believe) in a certain time frame.
scanlogd doesn't care about the port numbers, the must be different only.
But nmap is a *really* powerful scanner that can do many different types of scans which aren't easy to detect. And if you scan a range of port numbers using nmap nmap is clever enough to try the ports in a random order...
... and scanlogd detects them. Random-order scans are usually not FTP look-a-likes. It might be a topic to think about, to improve scanlogd to log non-acending port conntects in a different manner. I made a patch which causes scanlogd to log scans against privileged ports (<1024) differently (another message + higher log level). Useing this FTP transfers and scans against high ports only still look similar, but at least syslog points out if there were scans against privileged ports. (patch can be found if interested: http://sws.dett.de/patches/) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.