Rechercher une page de manuel
watcher
Langue: en
Version: 2007-05-02 (mandriva - 01/05/08)
Section: 1 (Commandes utilisateur)
Sommaire
NAME
Watcher -- Script to watch an argus server for scanning activitySYNOPSIS
watcher <options>"-i" Don't file incident reports (only useful if you are using UoA's incident logging system).
"-H" <hostname> Host runnning argus default ``$Argus::Host''
"-P" <port num> port number to that argus is listening on
"-W" <email address> Who to send mail to
"-F" <file name> read from argus file ....
"-i" switch is only useful if you are using UoA's incident logging system.
DESCRIPTION
This software requires a connection via ra to an Argus-2.0 server.This script attempts to detect systematic probing of address on a network or ports on a host from another address.
To try and find the weak signal in all the network noise it focuses on tcp connections that did not get established and those that transfer no application data. We ignore various chaff eg. lone RST and SYN+ACK which are generated by DoS attacks on third parties where our IP addresses were spoofed. I don't know of any tools that use such packets for information gathering.
The script also raise the reporting threshold for scans where the destination addresses appear random e.g. ICQ sessions involve hundreds of connections.
History
9th Jan 01 First distribution --- treat this as beta software there is some very new code here. Over Xmas I inadvertantly broke the code that wiped the 'memory' periodically and found that the scanner became much more sensitive --- what surprised me was that it kept running for a week before I killed it. At that time it was using about 50MB memory. I have added code and a new parameter to control how many IP address the system will track. The list is purged periodically on a least recently seen basis.The script is still under active developement as I explore the new features of Argus 2.0
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre