Running the script

[DanielSpring]

Hello,

I have just came accross your anomaly port scanning detector, this is something I was looking for. What makes this anomanly port scan detector or is this just standard port scanning detector similar to snort?

Regards Daniel

[puniaze]

It is not based on signature based detection, rather it is using exchanged TCP packet bits (SYN, ACK, PSH, URG,FIN and so on.) for detecting anomalies. If source host interacts with destination in abnormal way like sending too much 3 way handshakes to lots of ports in limited timeframe then it will be marked as full tcp port scan. Almost all scan techniques were detected by this tool accurately at the time of development of this tool.

[DanielSpring]

Thanks for getting back to me, much appreciated. Was this your final year dissertation project or just a side project?

Also you mentioned to wanted to add some firewall functionality, would it be possible to add the source ip address to the iptable/blacklist and quickly terminiate to connection to the current port and preventing further scanning?