Mailing list home
  Find posts   Help

Latest messageRecent messages

In this thread:
  [This is the only message]
By msg id:
 Prev: 3 May 2001 7:46
 Next: 2 May 2001 14:36

Other threads:
 Prev: Re: Clearing a text field?
 Next: Print to printer not screen

Same author:
 Prev: 30 Apr 2001 11:18
 Next: 4 May 2001 10:48

 Random message

Indexes:
 By topic
 By date
 By author
 By subject
Join the Mailing List....
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
10-Dec 11:53 UTC
[0.071] 10.313k
Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Port Scan Detector

From: ryanc::iesco-dms::com at: 2-May-2001 14:43


I am still testing it, please let me know if you find any issues.
--Ryan

#!/usr/bin/rebol -w

REBOL [
  Title: "Port Scan Detector"
  File: %scan-det.r
  Purpose: "Alerts administrator of a port accesses, possible signs of a
hacker seige."
  Author: "Ryan S. Cole"
  Date: 2-May-2001
  Version: 0.5.0 ; Beta!  Not yet proven to work in the real world! Use
at own risk!
  Email: [ryanc--iesco-dms--com]
]

if exists? %scan-det.ini [ do load %scan-det.ini ]

if not value? 'ports [ ports: to-block load ask "Enter ports to watch: "
]
if not value? 'delay [ delay: 10 ] ; notify after a pause of x seconds
if not value? 'threshold [ threshold: 10 ] ; notify after x attempts
if not value? 'display [ display: yes ]
if not value? 'notify [ notify: to-block load ask "Enter who to notify
(emails or files): " ]
if not block? notify [ notify: to-block notify ]

if all [
    not exists? %scan-det.ini
    confirm "Would you like to create an ini file? "
  ] [
  write %scan-det.ini rejoin [
    "; Ports to watch.^/"
    "; ports: [21 23 80]^/"
    "ports: " mold ports "^/^/"

    "; Emails or files to notify.^/"
    "; notify: [^/"
    ";     [admin--foo--com]^/"
    ";     [security--foo--com]^/"
    ";     %logfile.txt^/"
    ";     ftp://user:[pass--ftp--server--com]/logfile.txt^/"
    "; ]^/"
    "notify: " mold notify " ^/^/"

    "; Notification occurs after an access has been made, and once^/"
    "; either the delay or threshold requirements are met.  This is^/"
    "; so you recieve a single email for multiple attempts, as
opposed^/"
    "; one email for each attempt.^/"
    "delay: " delay " ; Trigger notification upon delay in attempts this
many seconds long.^/"
    "threshold: " threshold " ; Trigger notification upon this number of
attempts.^/^/"
    "display: " display " ; Show a console (yes or no) ^/"
  ]
]

wait-list: reduce [delay]
log-data: ""
tries: 0

either display [
  screen: func ["Prints stuff to console." v] [prin :v :v]
  print "Port Scan Detector^/"
  print "Watching Ports:"
  print ports
] [
  screen func ["Does nothing really." v] [:v]
]

log: func [
  "Store some info about the connection."
  connection
] [
  append log-data screen reform [
    connection/remote-ip
    connection/remote-port
    read join dns:// connection/remote-ip
    now "^/"
  ]
]

alert: func [
  "Write/send log-data to whomever is listed in notify"
] [
  foreach notifee notify [
    screen reform [ "Alerting: " notifee "^/" ]
    error? try [
      either email? notifee [
        send notifee rejoin [ "ALERT FROM " read dns:// "^/" log-data]
      ] [
        write/append notifee log-data
      ]
    ]
  ]
  screen "^/"
  log-data: copy ""
  tries: 0
]

;Start listening
forall ports [
  append wait-list open/lines join tcp://: first ports
]

forever [
  conn?: wait wait-list
  if port? conn? [
    conn: first conn?
    log conn
    error? try [ close conn ]
    tries: tries + 1
  ]
  if all [ none? conn?  not zero? length? log-data ] [ alert ]
  if all [ tries > threshold  not zero? length? log-data ] [ alert ]
]

  [This is the only message in the thread]