head	1.1;
branch	1.1.1;
access;
symbols
	RELENG_8_4:1.1.1.2.0.80
	RELENG_9_1_0_RELEASE:1.1.1.2
	RELENG_9_1:1.1.1.2.0.78
	RELENG_9_1_BP:1.1.1.2
	RELENG_8_3_0_RELEASE:1.1.1.2
	RELENG_8_3:1.1.1.2.0.76
	RELENG_8_3_BP:1.1.1.2
	RELENG_9_0_0_RELEASE:1.1.1.2
	RELENG_9_0:1.1.1.2.0.74
	RELENG_9_0_BP:1.1.1.2
	RELENG_9:1.1.1.2.0.72
	RELENG_9_BP:1.1.1.2
	RELENG_7_4_0_RELEASE:1.1.1.2
	RELENG_8_2_0_RELEASE:1.1.1.2
	RELENG_7_4:1.1.1.2.0.70
	RELENG_7_4_BP:1.1.1.2
	RELENG_8_2:1.1.1.2.0.68
	RELENG_8_2_BP:1.1.1.2
	RELENG_8_1_0_RELEASE:1.1.1.2
	RELENG_8_1:1.1.1.2.0.66
	RELENG_8_1_BP:1.1.1.2
	RELENG_7_3_0_RELEASE:1.1.1.2
	RELENG_7_3:1.1.1.2.0.64
	RELENG_7_3_BP:1.1.1.2
	RELENG_8_0_0_RELEASE:1.1.1.2
	RELENG_8_0:1.1.1.2.0.62
	RELENG_8_0_BP:1.1.1.2
	RELENG_8:1.1.1.2.0.60
	RELENG_8_BP:1.1.1.2
	RELENG_7_2_0_RELEASE:1.1.1.2
	RELENG_7_2:1.1.1.2.0.58
	RELENG_7_2_BP:1.1.1.2
	RELENG_7_1_0_RELEASE:1.1.1.2
	RELENG_6_4_0_RELEASE:1.1.1.2
	RELENG_7_1:1.1.1.2.0.56
	RELENG_7_1_BP:1.1.1.2
	RELENG_6_4:1.1.1.2.0.54
	RELENG_6_4_BP:1.1.1.2
	RELENG_7_0_0_RELEASE:1.1.1.2
	RELENG_6_3_0_RELEASE:1.1.1.2
	RELENG_7_0:1.1.1.2.0.52
	RELENG_7_0_BP:1.1.1.2
	RELENG_6_3:1.1.1.2.0.50
	RELENG_6_3_BP:1.1.1.2
	v4-1-28:1.1.1.2
	RELENG_7:1.1.1.2.0.48
	RELENG_7_BP:1.1.1.2
	v4-1-23:1.1.1.2
	RELENG_6_2_0_RELEASE:1.1.1.2
	RELENG_6_2:1.1.1.2.0.46
	RELENG_6_2_BP:1.1.1.2
	v4-1-13:1.1.1.2
	RELENG_5_5_0_RELEASE:1.1.1.2
	RELENG_5_5:1.1.1.2.0.44
	RELENG_5_5_BP:1.1.1.2
	RELENG_6_1_0_RELEASE:1.1.1.2
	RELENG_6_1:1.1.1.2.0.42
	RELENG_6_1_BP:1.1.1.2
	v4-1-10:1.1.1.2
	RELENG_6_0_0_RELEASE:1.1.1.2
	RELENG_6_0:1.1.1.2.0.40
	RELENG_6_0_BP:1.1.1.2
	RELENG_6:1.1.1.2.0.38
	RELENG_6_BP:1.1.1.2
	RELENG_5_4_0_RELEASE:1.1.1.2
	v4-1-8:1.1.1.2
	RELENG_5_4:1.1.1.2.0.36
	RELENG_5_4_BP:1.1.1.2
	RELENG_4_11_0_RELEASE:1.1.1.2
	RELENG_4_11:1.1.1.2.0.34
	RELENG_4_11_BP:1.1.1.2
	RELENG_5_3_0_RELEASE:1.1.1.2
	RELENG_5_3:1.1.1.2.0.32
	RELENG_5_3_BP:1.1.1.2
	RELENG_5:1.1.1.2.0.30
	RELENG_5_BP:1.1.1.2
	v3-4-35:1.1.1.2
	RELENG_4_10_0_RELEASE:1.1.1.2
	RELENG_4_10:1.1.1.2.0.28
	RELENG_4_10_BP:1.1.1.2
	RELENG_5_2_1_RELEASE:1.1.1.2
	RELENG_5_2_0_RELEASE:1.1.1.2
	RELENG_5_2:1.1.1.2.0.26
	RELENG_5_2_BP:1.1.1.2
	RELENG_4_9_0_RELEASE:1.1.1.2
	RELENG_4_9:1.1.1.2.0.24
	RELENG_4_9_BP:1.1.1.2
	RELENG_5_1_0_RELEASE:1.1.1.2
	RELENG_5_1:1.1.1.2.0.22
	RELENG_5_1_BP:1.1.1.2
	RELENG_4_8_0_RELEASE:1.1.1.2
	RELENG_4_8:1.1.1.2.0.20
	RELENG_4_8_BP:1.1.1.2
	v3-4-31:1.1.1.2
	RELENG_5_0_0_RELEASE:1.1.1.2
	RELENG_5_0:1.1.1.2.0.18
	RELENG_5_0_BP:1.1.1.2
	RELENG_4_7_0_RELEASE:1.1.1.2
	RELENG_4_7:1.1.1.2.0.16
	RELENG_4_7_BP:1.1.1.2
	v3-4-29:1.1.1.2
	RELENG_4_6_2_RELEASE:1.1.1.2
	RELENG_4_6_1_RELEASE:1.1.1.2
	RELENG_4_6_0_RELEASE:1.1.1.2
	v3-4-28:1.1.1.2
	RELENG_4_6:1.1.1.2.0.14
	RELENG_4_6_BP:1.1.1.2
	v3-4-27:1.1.1.2
	v3-4-26:1.1.1.2
	v3-4-25:1.1.1.2
	RELENG_4_5_0_RELEASE:1.1.1.2
	RELENG_4_5:1.1.1.2.0.12
	RELENG_4_5_BP:1.1.1.2
	RELENG_4_4_0_RELEASE:1.1.1.2
	RELENG_4_4:1.1.1.2.0.10
	RELENG_4_4_BP:1.1.1.2
	v3-4-20:1.1.1.2
	RELENG_4_3_0_RELEASE:1.1.1.2
	RELENG_4_3:1.1.1.2.0.8
	RELENG_4_3_BP:1.1.1.2
	v3-4-16:1.1.1.2
	rev:1.1.1.2
	RELENG_4_2_0_RELEASE:1.1.1.2
	v3-4-13:1.1.1.2
	v3-4-12:1.1.1.2
	RELENG_4_1_1_RELEASE:1.1.1.2
	PRE_SMPNG:1.1.1.2
	v3-4-9:1.1.1.2
	RELENG_4_1_0_RELEASE:1.1.1.2
	v3-4-8:1.1.1.2
	RELENG_3_5_0_RELEASE:1.1.1.2
	v3_4_4:1.1.1.2
	RELENG_4_0_0_RELEASE:1.1.1.2
	RELENG_4:1.1.1.2.0.6
	RELENG_4_BP:1.1.1.2
	v3_3_8:1.1.1.2
	v3_3_6:1.1.1.2
	RELENG_3_4_0_RELEASE:1.1.1.2
	v3_3_3:1.1.1.2
	RELENG_3_3_0_RELEASE:1.1.1.2
	RELENG_3_2_PAO:1.1.1.2.0.4
	RELENG_3_2_PAO_BP:1.1.1.2
	RELENG_3_2_0_RELEASE:1.1.1.2
	RELENG_3_1_0_RELEASE:1.1.1.2
	RELENG_3:1.1.1.2.0.2
	RELENG_3_BP:1.1.1.2
	RELENG_3_0_0_RELEASE:1.1.1.2
	v3_2_7:1.1.1.2
	v3_2_3:1.1.1.1
	v3_2_1:1.1.1.1
	v3-2-a7:1.1.1.1
	V3_2_A4:1.1.1.1
	ipfilter3_1_8:1.1.1.1
	DARRENR:1.1.1
	ipfilter3_1_7:1.1.1.1
	DARRENREED:1.1.1;
locks; strict;
comment	@# @;


1.1
date	97.02.09.22.50.00;	author darrenr;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	97.02.09.22.50.00;	author darrenr;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	98.06.20.18.28.49;	author peter;	state Exp;
branches
	1.1.1.2.80.1;
next	;

1.1.1.2.80.1
date	98.06.20.18.28.49;	author svnexp;	state dead;
branches;
next	1.1.1.2.80.2;

1.1.1.2.80.2
date	2013.03.28.13.01.20;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.1
log
@Initial revision
@
text
@
IP Scan Detetor.
----------------

This program is designed to be a passive listener for TCP packets sent to
the host.  It does not exercise the promiscous mode of interfaces.  For
routing Unix boxes (and firewalls which route/proxy) this is sufficient to
detect all packets going to/through them.

Upon compiling, a predefined set of "sensitive" ports are configured into
the program.  Any TCP packets which are seen sent to these ports are counted
and the IP# of the sending host recorded, along with the time of the first
packet to that port for that IP#.

After a given number of "hits", it will write the current table of packets
out to disk.  This number defaults to 10,000.

To analyze the information written to disk, a sample program called "ipsdr"
is used (should but doesn't implement a tree algorithm for storing data)
which  reads all log files it recognises and totals up the number of ports
each host hit.  By default, all ports have the same weighting (1).  Another
group of passes is then made over this table using a netmask of 0xfffffffe,
grouping all results which fall under the same resulting IP#.  This netmask
is then shrunk back to 0, with a output for each level given.  This is aimed
at detecting port scans done from different hosts on the same subnet (although
I've not seen this done, if one was trying to do it obscurely...)

Lastly, being passive means that no action is taken to stop port scans being
done or discourage them.

Darren
darrenr@@cyber.com.au
@


1.1.1.1
log
@Import IP Filter v3.1.7 into FreeBSD tree
@
text
@@


1.1.1.2
log
@Import trimmed version of ipfilter 3.2.7.

Obtained from:  Darren Reed via http://cheops.anu.edu.au/~avalon/
@
text
@d32 1
a32 1
darrenr@@pobox.com
@


1.1.1.2.80.1
log
@file README was added on branch RELENG_8_4 on 2013-03-28 13:01:20 +0000
@
text
@d1 32
@


1.1.1.2.80.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 32

IP Scan Detetor.
----------------

This program is designed to be a passive listener for TCP packets sent to
the host.  It does not exercise the promiscous mode of interfaces.  For
routing Unix boxes (and firewalls which route/proxy) this is sufficient to
detect all packets going to/through them.

Upon compiling, a predefined set of "sensitive" ports are configured into
the program.  Any TCP packets which are seen sent to these ports are counted
and the IP# of the sending host recorded, along with the time of the first
packet to that port for that IP#.

After a given number of "hits", it will write the current table of packets
out to disk.  This number defaults to 10,000.

To analyze the information written to disk, a sample program called "ipsdr"
is used (should but doesn't implement a tree algorithm for storing data)
which  reads all log files it recognises and totals up the number of ports
each host hit.  By default, all ports have the same weighting (1).  Another
group of passes is then made over this table using a netmask of 0xfffffffe,
grouping all results which fall under the same resulting IP#.  This netmask
is then shrunk back to 0, with a output for each level given.  This is aimed
at detecting port scans done from different hosts on the same subnet (although
I've not seen this done, if one was trying to do it obscurely...)

Lastly, being passive means that no action is taken to stop port scans being
done or discourage them.

Darren
darrenr@@pobox.com
@


