Three things: >Darren Reed <avalon@coombs.anu.edu.au> wrote: > It doesn't look for Stealth Scans by their signiture (half-open connections > and using ACKs, etc), but just registers all packets sent to a select > number of ports. The higher the number of ports `hit' by a given host, > the higher its score for probability of having done a port scan. 1) I haven't looked at the code, but it would seem a couple things were significant in this approach: - What happens if a firewall is blocking some of the "sensitive" ports? (e.g. ports 1-100 but not 23 get scanned) - Time would seem to be significant. (e.g. What if I scan a new port every 5 minutes (or whatever)) And if the timing is too small, a busy server will most likely get flagged as being scanned. 2) You didn't mention if your half-open port scanner was available. I wrote one a long time ago which is freely available. If anyone would like to grab a copy of it, you can find it in the intrusion section of my home page. It only runs under SunOS 4.x, but it's basically just a proof of concept. :-) http://www.engarde.com/~mcn 3) Are firewall logging packages vulnerable to this? (ie. Does the firewall only log/alert on the existance of a fully established connection, or merely on the first SYN?) -Mike mcn@EnGarde.com