scanlogd.8

.TH SCANLOGD 8 "2 June 2004" "Openwall Project" "System Administration"
.SH NAME
scanlogd \- detects and logs TCP port scans
.SH SYNOPSIS
.B scanlogd
.SH DESCRIPTION
.B scanlogd
detects port scans and writes one line per scan via the
.BR syslog (3)
mechanism.  If a source address sends multiple
packets to different ports in a short time, the event will be
logged.  The format of the messages is:
.LP
.BR saddr "[:" sport "] to " daddr " [and others,] ports " port "[, " port "...], ..., " flags "[, TOS " TOS "][, TTL " TTL "] @" HH:MM:SS
.PP
The fields in square brackets are optional;
.BR sport ", " TOS ", and " TTL
will only be displayed if they were constant during the scan.
.PP
The
.B flags
field represents TCP control bits seen in packets
coming to the system from the address of the scan.  It is a
combination of eight characters, with each corresponding to
one of the six defined and two reserved TCP control bits (see
RFC 793).  Control bits that were always set are encoded with an
uppercase letter, and a lowercase letter is used if the bit was
always clear.  A question mark is used to indicate bits that
changed from packet to packet.
.SH INTERFACES
In order to do its job,
.B scanlogd
needs a way to obtain raw IP packets that either come to the system
.B scanlogd
is running on, or travel across a network segment that is directly
connected to the system.  Current versions of
.B scanlogd
can be built with support for one of several packet capture interfaces.
.PP
.B scanlogd
is aware of the
.B raw socket
interface on Linux,
.BR libnids ,
and
.BR libpcap .
.PP
The use of
.B libpcap
alone is discouraged.  If you're on a system other than Linux and/or
want to monitor the traffic of an entire network at once, you should
be using
.B libnids
in order to handle fragmented IP packets.
.SH COMPILE-TIME DEFAULTS
At least 7 different privileged or 21 non-privileged ports, or a
weighted combination of those, have to be accessed with no longer
than 3 seconds between the accesses to be treated as a scan.
If more than 5 scans are detected within 20 seconds, that event
will be logged and logging will be stopped temporarily.
.PP
Logging is done with a facility of
.B daemon
and a priority level
.BR alert .
.PP
.B scanlogd
should be started as root since it needs access to a packet capture
interface.
By default, it chroots to
.I /var/empty
and switches to running as user
.B scanlogd
after the packet capture interface is initialized.
.SH EXIT STATUS
If the daemon couldn't start up successfully, it will exit with a
status of 1.
.SH USAGE
You're expected to create a dummy user for
.B scanlogd
to run as.  Make sure you allocate unique UID and GID to the user.
.PP
In most cases,
.B scanlogd
should be started from a rc.d script on system startup.
.PP
In /etc/syslog.conf you may use something like:
.PP
daemon.alert	/var/log/alert
.SH SECURITY NOTES
As the name indicates,
.B scanlogd
only logs port scans.
.B It does not prevent them.
You will only receive summarized information in the system's log.
.PP
Obviously, the source address of port scans can be spoofed.
.B Don't take any action against the source of attacks
.B unless other evidence is available.
Sometimes IP addresses are shared between many people; this is the
case for ISP shell servers, dynamic dialup pools, and corporate
networks behind NAT (masquerading).
.SH BUGS
Due to the nature of port scans, both false positives (detecting a
scan when there isn't one) and false negatives (not detecting a scan
when there's one) are possible.  In particular, false positives occur
when many small files are transferred rapidly with passive mode FTP.
.SH AUTHORS
.nf
Solar Designer <solar at openwall.com>
.fi
Steffen Dettmer <steffen at dett.de>
wrote the initial version of this manual page.
.SH SEE ALSO
.BR syslog (3),
.BR syslog.conf (5),
.BR libnids (3),
.BR pcap (3)
.nf
.BR scanlogd " home page: http://www.openwall.com/scanlogd/"
.BR "Phrack Magazine" ", issue 53, article 13"