From owner-freebsd-security Sun Dec 7 12:40:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20561 for security-outgoing; Sun, 7 Dec 1997 12:40:20 -0800 (PST) (envelope-from owner-freebsd-security) Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id MAA20554 for ; Sun, 7 Dec 1997 12:40:15 -0800 (PST) (envelope-from tqbf@joshua.enteract.com) From: tqbf@joshua.enteract.com Received: (qmail 7136 invoked by uid 1004); 7 Dec 1997 20:40:13 -0000 Date: 7 Dec 1997 20:40:13 -0000 Message-ID: <19971207204013.7135.qmail@joshua.enteract.com> To: molter@logic.it, freebsd-security@freebsd.org Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) In-Reply-To: Reply-To: tqbf@enteract.com Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In muc.lists.freebsd.security, you wrote: >I though someone could be interested in this program, a port scanner >which seems more featureful than strobe (a port scanner in the >FreeBSD ports). It's not a port scanner. It's a bad port-scan detector; it's designed to tell you when things like strobe (excellent program) are run against your host. It also doesn't work. In general, you need low-level network access (packet capture) to really detect port-scans, because it's not hard to find out of a TCB exists without tickling accept(). "Sentry" just binds to a bunch of ports and trusts that if someone probes one of them, it'll notice. -- ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"