03-18-2002
A possible solution is that while performing a single port scan you are getting a correct response from an "active" or open port.
Now under a full 65535 port scan you are pushing alot of packets! You hadn't stated your time frequency of datagram submittal...but with an educated guess......i'd say that you are pumping them out as quick as possible.
When a system is under a pretty heavy load...the stack gets a bit quirky. Thus the inconsistent recognitions.....i.e...a "filtered" state.
Especially when your only traversing a portion of your TCP/IP stack, and not the whole OSI model.
Have you reviewed RFC 793 (Transmission Control Protocol) for valid responses? I suggest capturing packets to verify your systems responses.
HTH.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi,
Whenever I tried to run nmap on my linux (red hat 6.2) boxes i got these outputs:
4444/tcp filtered krb524
6666/tcp filtered irc-serv
6699/tcp filtered napster
8888/tcp filtered sun-answerbook
Can anybody please... (10 Replies)
Discussion started by: necro
10 Replies
2. Shell Programming and Scripting
Hi everyone!
I've temporarily come out of hibernation (and will be gone for about two weeks after this post too) to ask for input on a small PHP script I have just completed.
The script aims to be a remote front-end for Nmap - now for the safety of this post, I ask that any replies refrain from... (6 Replies)
Discussion started by: Karma
6 Replies
3. AIX
I'm trying to compile nmap 4.11 on an aix 5.2 machine and get the following error when attempting the 'make' command;
make
"Makefile", line 1: make: 1254-055 Dependency line needs colon or double colon operator.
"Makefile", line 14: make: 1254-055 Dependency line needs colon or double colon... (2 Replies)
Discussion started by: zuessh
2 Replies
4. Red Hat
Hi,
Is it possible to change the nmap port name: For eg:
21/tcp open ftp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
836/tcp open unknown
843/tcp open unknown
953/tcp open rndc
I need to change the port number 836 unknown to the name of the... (4 Replies)
Discussion started by: gsiva
4 Replies
5. Shell Programming and Scripting
So...
I'm trying to script and FTP Backup of some files from openVMS Alpha machine to a Unixware 7 machine.
I decided to use .netrc to do all the FTP actions however when I send the
nmap command. It pretty much gets ignored while even other things such "ascii", "case" etc.. get respected... (0 Replies)
Discussion started by: thesubmitter
0 Replies
6. Solaris
I 'm getting following error when i run nmap for an ip .. what could be the reason for it ?
#nmap 10.22.67.18
Starting Nmap 4.68 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-07-06 19:07 UTC
Warning: Unable to open interface e1000g3301000 -- skipping it.... (2 Replies)
Discussion started by: fugitive
2 Replies
7. Linux
Hi ,
I am exploring the nmap utility for Linux.
I know that, nmap binaries are specific to the platforms e.g. nmap binaries will be diferent for Windows , AIX , Solaris and Linux platforms.
Can anyone tell me , will the nmap binaries be different for different flavours of Linux such as... (1 Reply)
Discussion started by: jatin56
1 Replies
8. Cybersecurity
I'm seeing a persistent address showing up on my firewall router logs. The address is 10.98.115.9:67, and is broadcasting to 255.255.255.255. I know that this would typically signal a BOOTP service, such as a bootp server announcing itself on the network. But I can't isolate which machine it... (3 Replies)
Discussion started by: renoir611
3 Replies
9. Shell Programming and Scripting
Scripting language : Bash Shell Script
I have to create function in which read IP addresses one by one from one file (ip.txt) and scan these IP using nmap. (4 Replies)
Discussion started by: sk151993
4 Replies
10. Homework & Coursework Questions
Scripting language : Bash Shell Script
1. problem statement
I have to create function in which read IP addresses one by one from one file (iplist.txt) and scan these IP using nmap. This scan IP's output is saved in output.txt file and parse output.txt to save only open ports with particular IP... (3 Replies)
Discussion started by: sk151993
3 Replies
LEARN ABOUT DEBIAN
scanlogd
SCANLOGD(8) System Administration SCANLOGD(8)
NAME
scanlogd - detects and logs TCP port scans
SYNOPSIS
scanlogd
DESCRIPTION
scanlogd detects port scans and writes one line per scan via the syslog(3) mechanism. If a source address sends multiple packets to differ-
ent ports in a short time, the event will be logged. The format of the messages is:
saddr[:sport] to daddr [and others,] ports port[, port...], ..., flags[, TOS TOS][, TTL TTL] @HH:MM:SS
The fields in square brackets are optional; sport, TOS, and TTL will only be displayed if they were constant during the scan.
The flags field represents TCP control bits seen in packets coming to the system from the address of the scan. It is a combination of eight
characters, with each corresponding to one of the six defined and two reserved TCP control bits (see RFC 793). Control bits that were
always set are encoded with an uppercase letter, and a lowercase letter is used if the bit was always clear. A question mark is used to
indicate bits that changed from packet to packet.
INTERFACES
In order to do its job, scanlogd needs a way to obtain raw IP packets that either come to the system scanlogd is running on, or travel
across a network segment that is directly connected to the system. Current versions of scanlogd can be built with support for one of sev-
eral packet capture interfaces.
scanlogd is aware of the raw socket interface on Linux, libnids, and libpcap.
The use of libpcap alone is discouraged. If you're on a system other than Linux and/or want to monitor the traffic of an entire network at
once, you should be using libnids in order to handle fragmented IP packets.
COMPILE-TIME DEFAULTS
At least 7 different privileged or 21 non-privileged ports, or a weighted combination of those, have to be accessed with no longer than 3
seconds between the accesses to be treated as a scan. If more than 5 scans are detected within 20 seconds, that event will be logged and
logging will be stopped temporarily.
Logging is done with a facility of daemon and a priority level alert.
scanlogd should be started as root since it needs access to a packet capture interface. By default, it chroots to /var/empty and switches
to running as user scanlogd after the packet capture interface is initialized.
EXIT STATUS
If the daemon couldn't start up successfully, it will exit with a status of 1.
USAGE
You're expected to create a dummy user for scanlogd to run as. Make sure you allocate unique UID and GID to the user.
In most cases, scanlogd should be started from a rc.d script on system startup.
In /etc/syslog.conf you may use something like:
daemon.alert /var/log/alert
SECURITY NOTES
As the name indicates, scanlogd only logs port scans. It does not prevent them. You will only receive summarized information in the sys-
tem's log.
Obviously, the source address of port scans can be spoofed. Don't take any action against the source of attacks unless other evidence is
available. Sometimes IP addresses are shared between many people; this is the case for ISP shell servers, dynamic dialup pools, and corpo-
rate networks behind NAT (masquerading).
BUGS
Due to the nature of port scans, both false positives (detecting a scan when there isn't one) and false negatives (not detecting a scan
when there's one) are possible. In particular, false positives occur when many small files are transferred rapidly with passive mode FTP.
AUTHORS
Solar Designer <solar at openwall.com>
Steffen Dettmer <steffen at dett.de> wrote the initial version of this manual page.
SEE ALSO
syslog(3), syslog.conf(5), libnids(3), pcap(3)
scanlogd home page: http://www.openwall.com/scanlogd/
Phrack Magazine, issue 53, article 13
Openwall Project 2 June 2004 SCANLOGD(8)