watcher

Langue: en

Version: 2007-05-02 (mandriva - 01/05/08)

Section: 1 (Commandes utilisateur)

Sommaire

NAME

Watcher -- Script to watch an argus server for scanning activity

SYNOPSIS

watcher <options>

"-i" Don't file incident reports (only useful if you are using UoA's incident logging system).

"-H" <hostname> Host runnning argus default ``$Argus::Host''

"-P" <port num> port number to that argus is listening on

"-W" <email address> Who to send mail to

"-F" <file name> read from argus file ....

"-i" switch is only useful if you are using UoA's incident logging system.

DESCRIPTION

This software requires a connection via ra to an Argus-2.0 server.

This script attempts to detect systematic probing of address on a network or ports on a host from another address.

To try and find the weak signal in all the network noise it focuses on tcp connections that did not get established and those that transfer no application data. We ignore various chaff eg. lone RST and SYN+ACK which are generated by DoS attacks on third parties where our IP addresses were spoofed. I don't know of any tools that use such packets for information gathering.

The script also raise the reporting threshold for scans where the destination addresses appear random e.g. ICQ sessions involve hundreds of connections.

History

9th Jan 01 First distribution --- treat this as beta software there is some very new code here. Over Xmas I inadvertantly broke the code that wiped the 'memory' periodically and found that the scanner became much more sensitive --- what surprised me was that it kept running for a week before I killed it. At that time it was using about 50MB memory. I have added code and a new parameter to control how many IP address the system will track. The list is purged periodically on a least recently seen basis.

The script is still under active developement as I explore the new features of Argus 2.0