Re: sleath port scanning fix

Thamer Al-Herbish (shadows@whitefang.com)
Mon, 08 Sep 1997 17:35:44 +0000

On Sun, 7 Sep 1997, Superuser (Duncan Simpson) wrote:

> - goto discard;
> + /* SECURITY FIX: stop port scanning with packets that do not
> + * set either ACK or SYN (e.g. just FIN).
> + */
> + printk("Warning: possible attempt at \"sleath\" port scaning: port %d, source IP %s\n", noths(skb->h.th->dest), in_ntoa(skb->nh.iph->saddr));
> + return 1;
> break;

There's a problem here, this means every stray non (SYN|ACK) packet gets
logged as bieng a possible "sleath" scan. From my previous experience at
attempting to write scan loggers, you'd realy want to make sure this happens
on more than one port before logging it. Or be prepared to have some huge
log files on a busy network.

For what its worth, you can pickup synlog, a tool that attempts to detect
synscans/synfloods on a network at http://www.whitefang.com/synlog.html (
please dont all rush out at once) It does more than just keep track of syn
packets, it watches each individual handshake and makes sure they finish, or
it logs it. Even then, the log files can grow immensely on a busy network.

For people who have seen the earlier version 0.1 (ancient and was barely
functional). The newer 0.4 version is both enhanced and completely
functional on a moderately busy network.

Currently only supports 10mbit ethernet, and has been tested on
Solaris,FreeBSD-2.2.1 and Linux.

Thamer Al-Herbish
shadows@whitefang.com