Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

Port Scan Detector

 [1/1] from: ryanc::iesco-dms::com at: 2-May-2001 14:43


I am still testing it, please let me know if you find any issues. --Ryan #!/usr/bin/rebol -w REBOL [ Title: "Port Scan Detector" File: %scan-det.r Purpose: "Alerts administrator of a port accesses, possible signs of a hacker seige." Author: "Ryan S. Cole" Date: 2-May-2001 Version: 0.5.0 ; Beta! Not yet proven to work in the real world! Use at own risk! Email: [ryanc--iesco-dms--com] ] if exists? %scan-det.ini [ do load %scan-det.ini ] if not value? 'ports [ ports: to-block load ask "Enter ports to watch: " ] if not value? 'delay [ delay: 10 ] ; notify after a pause of x seconds if not value? 'threshold [ threshold: 10 ] ; notify after x attempts if not value? 'display [ display: yes ] if not value? 'notify [ notify: to-block load ask "Enter who to notify (emails or files): " ] if not block? notify [ notify: to-block notify ] if all [ not exists? %scan-det.ini confirm "Would you like to create an ini file? " ] [ write %scan-det.ini rejoin [ "; Ports to watch.^/" "; ports: [21 23 80]^/" "ports: " mold ports "^/^/" "; Emails or files to notify.^/" "; notify: [^/" "; [admin--foo--com]^/" "; [security--foo--com]^/" "; %logfile.txt^/" "; ftp://user:[pass--ftp--server--com]/logfile.txt^/" "; ]^/" "notify: " mold notify " ^/^/" "; Notification occurs after an access has been made, and once^/" "; either the delay or threshold requirements are met. This is^/" "; so you recieve a single email for multiple attempts, as opposed^/" "; one email for each attempt.^/" "delay: " delay " ; Trigger notification upon delay in attempts this many seconds long.^/" "threshold: " threshold " ; Trigger notification upon this number of attempts.^/^/" "display: " display " ; Show a console (yes or no) ^/" ] ] wait-list: reduce [delay] log-data: "" tries: 0 either display [ screen: func ["Prints stuff to console." v] [prin :v :v] print "Port Scan Detector^/" print "Watching Ports:" print ports ] [ screen func ["Does nothing really." v] [:v] ] log: func [ "Store some info about the connection." connection ] [ append log-data screen reform [ connection/remote-ip connection/remote-port read join dns:// connection/remote-ip now "^/" ] ] alert: func [ "Write/send log-data to whomever is listed in notify" ] [ foreach notifee notify [ screen reform [ "Alerting: " notifee "^/" ] error? try [ either email? notifee [ send notifee rejoin [ "ALERT FROM " read dns:// "^/" log-data] ] [ write/append notifee log-data ] ] ] screen "^/" log-data: copy "" tries: 0 ] ;Start listening forall ports [ append wait-list open/lines join tcp://: first ports ] forever [ conn?: wait wait-list if port? conn? [ conn: first conn? log conn error? try [ close conn ] tries: tries + 1 ] if all [ none? conn? not zero? length? log-data ] [ alert ] if all [ tries > threshold not zero? length? log-data ] [ alert ] ]