Around the year 2000-2002 (back in the days when Snort was still super young (and I haven’t heard of it yet), I decided to write a small network traffic analyser, which could serve as a “poor man’s intrusion detection system”. It was basically a C daemon configured with a ini-like configuration file, watching for network events.

If I remember correctly, I wanted a way to detect the (then pretty new and fancy) nmap stealth scan mechanisms (like half open, xmas, etc), and counter them with alerts and on demand firewall rules.

I just stumbled upon the old C source on my harddrive ssd on my macOS machine and tried make just to see what would happen. Back then I operated some FreeBSD/ OpenBSD and Linux servers, and I didn’t really expect much to happen besides tons of errors.

As it apparently still compiles and runs today (even on macOS), I’ve decided to upload the code to Github.

Checkout the configuration examples. Detecting the various nmap portscan types still works (see configuration below)!

# rule to detect tcp connect/half open portscans
[tcp]

    # tcp connect / half open
    tcp_flags = syn !ack

    # after 20 packages in 60 seconds a scan
    count = 20
    time  = 60

    # we need the portscan mode
    portscan_mode = 1


    #############################################################
    # possible actions against the attacker
    # (create a new firewall rule to block his ip for 30 seconds)
    #
    #    command1     = ipfw add deny ip from %sip to any
    #    delay        = 30
    #    command2     = ipfw del deny ip from %sip to any
    #
    #############################################################

    # the string for syslog
    logstr = portscan from: %sip [tcp connect/half open]



# rule to detect "null" scans
[tcp]

    # null scan
    tcp_flags = !syn !ack !psh !rst !urg !fin

    # after 10 packages in 60 seconds a scan
    count = 10
    time  = 60

    # we need the portscan mode
    portscan_mode = 1


    #############################################################
    # possible actions against the attacker
    # (create a new firewall rule to block his ip for 30 seconds)
    #
    #    command1     = ipfw add deny ip from %sip to any
    #    delay        = 30
    #    command2     = ipfw del deny ip from %sip to any
    #
    #############################################################

    # the string for syslog
    logstr = portscan from: %sip [null scan]



# rule to detect "xmas" portscans
[tcp]

    # nmap xmas scan
    tcp_flags = fin urg psh

    # after 10 packages in 60 seconds a scan
    count = 10
    time  = 60

    # we need the portscan mode
    portscan_mode = 1

    #############################################################
    # possible actions against the attacker
    # (create a new firewall rule to block his ip for 30 seconds)
    #
    #    command1     = ipfw add deny ip from %sip to any
    #    delay        = 30
    #    command2     = ipfw del deny ip from %sip to any
    #
    #############################################################

    # the string for syslog
    logstr = portscan from: %sip [xmas scan]



# rule to detect fin portscans
[tcp]

    # fin scan
    tcp_flags = !syn !ack !rst !urg !psh fin

    # after 50 packages in 30 seconds a scan
    count = 50
    time  = 30

    # we need the portscan mode
    portscan_mode = 1


    #############################################################
    # possible actions against the attacker
    # (create a new firewall rule to block his ip for 30 seconds)
    #
    #    command1     = ipfw add deny ip from %sip to any
    #    delay        = 30
    #    command2     = ipfw del deny ip from %sip to any
    #
    #############################################################

    # string for syslog
logstr = portscan from: %sip [fin]