Subject:
           [linux-security] New Program: Abacus Sentry - Port Scan Detector
 Resent-Date:
           6 Dec 1997 21:59:38 -0000
Resent-From:
           linux-security@redhat.com
       From:
           "Craig H. Rowland" 

Hello,

I just made available a beta version of a port scan detector that I've
been working on. The program, called Abacus Sentry, is a port scan/probe
detector that offers what I think are a number of unique and useful
features:

- Runs on TCP or UDP sockets. Configurable by the user to bind to
multiples of sockets for increased detection coverage.

- Adjustable scan detection value with "state" engine to track past host
connections and alarm when a threshold of connections is past.

- The ability to react to a port sweep in real time. Abacus Sentry will
take any of the following actions when a port sweep is detected:

        - Add the target host to the local Linux filter list using
          ipfwadm.

        - Drop the route to the target host via the route command.

        - Add the target host to the local TCP wrappers hosts.deny file.

        - Execute an external program.

        - Fully log the attacking host IP and port numbers to syslog.

- Uses essentially zero system resources when running.

- It's Free.


The software was developed on Linux, but uses code that is portable to
many platforms. It has been tested on Linux, BSDI, and should compile on
most BSD variants. I have personally tested it on Solaris 2.5.1, but there
is a mod you need to make because of the use of snprintf's within the
code (I will include a snprintf function in later releases).

The code is currently in Beta and is version 0.08 at the time of this
writing. The code is available for testing now and I'm especially looking
for code reviews and suggestions to improve it.

You can find the program at:

http://www.psionic.com/abacus/abacus_sentry.html

Thanks,


-- Craig

http://www.psionic.com



Here is the configuration file to give you the idea of the options
available:



# Abacus Sentry Configuration
#
# $Id: abacus_sentry.conf,v 1.8 1997/12/05 07:31:38 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
# Be sure your DEAD_ROUTE points to a local subnet address that is dead.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.


#######################
# Port Configurations #
#######################
#
#
# Some example port configs
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,2000,2001,4000,4001,6000,6001,6667,32771,32772,32773,32774,31337"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,119,143,540,2000,6000,6667,31337,32771,32772,32773,32774"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,143,540,2000,6000,32771,32772,32773,32774"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774"

######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/local/abacus/abacus_sentry.ignore"
# Hosts that have been denied
BLOCKED_FILE="/usr/local/abacus/abacus_sentry.blocked"

###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don't want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected.
#
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# If you are going to use the route command to do this you MUST
# MAKE SURE THE GATEWAY IS A DEAD HOST (333.444.555,666) on the
# local network or you may get bizarre results on the local segment.

# Generic Linux
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Generic BSD (BSDI)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# If you want both (why?) then add this command to the KILL_RUN_CMD
# section. This I think is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o


###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (ping of death, winnuke, death threat, etc.), but
# use this with caution. This command is executed before the route is
# dropped to ensure that your "package" is delivered whatever that may
# be. It is disabled by default.
#
#KILL_RUN_CMD="/some/path/here/ping_of_death $TARGET$"


#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified.
#
SCAN_TRIGGER="0"

######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the Sentry.
# I *don't* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** Administrators alerted to your connection. Go Away."


# EOF



--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

Last-modified: Fri, 26 Jul 2002 06:23:37 GMT