Closed askoriy closed 7 years ago
Thanks for the suggestion - I will take a look at this as soon as I can. I'll send you a -pre release for testing once I have an initial implementation.
psad-2.4.5-pre1 has been released that implements proper port sweep detection according to the following ChangeLog entry:
- Added proper port sweep detection based on a single port being probed
across a configurable number of destination hosts. The number of
destinations is controlled by the following new configuration variables
(and associated defaults) in the psad.conf file:
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
This was implemented in dcd29a75d1bf38a0dd24640150eb953d9a68cc21
This has been added in psad-2.4.5 (just released).
Is it possible to add feature for counting unique scanned hosts and calculate DL based also on it? I routed traffic for unused at the moment IP addresses to the server with psad installed. And I see a lot of scanning my hosts for open port or attempt to exploit some vulnerability on a number of hosts. Even in syslog there is good seen enumerating. I'd like to find and block such activity, but psad simply skip it with DL=1, because every destination host receives only few packets.