Portscan detection

Wed Aug 16 10:51:09 EDT 2006

On Wed, Aug 16, 2006 at 03:33:15PM +0200, Torbjorn.Wictorin at its.uu.se wrote:
> hello,
> 
> this maybe is a little off-topic for this list but is there any portscan 
> detector for processing argus data?
> 
> Torbj?rn Wictorin

	Russell's watcher perl scripts should be in the contrib directory 
(although I see that isn't true so far in the 3.0 rc series). And my traffic
perl scripts available from ftp.sfu.ca in 

/pub/unix/argus/argus.traffic.perl.tar.gz 

also have port scan detection which looks like this:
	(the lead one is akype super node the next two P2P file sharing).

Our hosts scanning:

    xxx.yy.z.184            280,646            243,388
    yyy.xx.aa.14             83,401             51,444
   xxx.aa.bb.193             59,688             46,080
...

Outside hosts scanning:

  204.16.208.243            129,688                  0
    60.11.125.36            119,720                  0
   142.59.94.231             76,540              3,358
  222.242.104.40             70,190                145
    64.251.16.12             68,391              3,328
   194.236.47.12             65,561                781
...

	Where the first number is host port pairs (some double counting going
on so higher that is correct) and the second counts hosts that responded. At
some point I'll complete an upgrade of these but not yet ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada