I notice that there was some further discussion since I wrote my reply. I did assume that you wanted to just check for connection attempts to ports. That's fairly straightforward. If you just wanted to grab SYN packets on Win32 you will need an interface to a packet capture library like winpcap, etc. There are several other good lightweight packet capture engines for Win32. I use Winpcap for my Windows Snort installs. It is stable, and effective. The problem will be writing the code to interface with that library or with the network driver. That's not trivial. Otherwise there's no effective way for your program to grab packets before they hit the layer 3 process that is already looking for them. (Other than creating a transparent proxy, but now I'm getting even more off-topic.
You would probably do better with C or C++ than with Perl for packet capture work. Much much easier to create a few listeners on unused ports and count & correlate connection attempts. My $.02 Lee Lee Clemmer Chief Security Consultant Higher Ground Networks, LLC [EMAIL PROTECTED] 404-874-0504 Cell: 404-277-6651 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lee Clemmer Sent: Monday, December 16, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: RE: port scan detector I've got a "fully developed" one that I wrote and I've used for a while now. It listens on multiple ports, it logs the source addresses, does reverse lookups and whois/ARIN lookups for the ISP in question, and sends e-mails if a defined number of attempts or ports are scanned. Uses a config file to tune settings, can send reports to multiple e-mail addresses, etc. It also runs cross-platform on Linux, Solaris, and NT/2000 without any modifications. Eric's follow up messages have you started in the right direction. Lee Lee Clemmer President/Chief Security Consultant Higher Ground Networks, LLC [EMAIL PROTECTED] 404-874-0504 Cell: 404-277-6651 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert-Jan Mora Sent: Monday, December 16, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: port scan detector Hello, I would like to make a tcp and udp port scan detector in perl for win32. Has anyone tried it already? The scan detector has to run on the background and only has to log connections to a file. Can someone point me to a direction. Thankz in advance. _______________________________________________ Perl-Win32-Admin mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs _______________________________________________ Perl-Win32-Admin mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs _______________________________________________ Perl-Win32-Admin mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
