UDP Scan detection with xtables-addon psd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: andreas <andi@geekosphere.org>
To: netfilter@vger.kernel.org
Subject: UDP Scan detection with xtables-addon psd
Date: Thu, 11 Aug 2011 12:16:39 +0200	[thread overview]
Message-ID: <4E43AC07.4040103@geekosphere.org> (raw)

Hi,

i'm working on a dynamic firewall and one sensor should be the portscan.
I want to detect port scans and forward them to the target that handles
the sensors and the blocking. So i saw that xtables-addons support
portscan with psd and lscan. As i want to scan also UDP scans i choose
psd instead of lscan.
But i can't get psd to detect nmap UDP scans. I played around with the
four values of psd but i never got the UDP scans logged. The TCP scans
are logged, at least nmap -sT, -sS, -sF, -sX, -sN are logged, -sA is
missing and so is the UDP scan with -sU.
I did not use any special nmap parameters except -P0. The machine is a
gentoo system with 2.6.38 Kernel, xtables addons 1.37 and iptables 1.4.11.1.

Does anyone know how psd can detect UDP scans? Did i miss anything?

And another question is, is the psd development stopped and do you
suggest to use lscan or do you have any other suggestion for me?

If not i guess i have to write my own modul or patch psd/lscan to get
the missing scans detected.

thanks so far and greetings from Germany,

Andi

next             reply	other threads:[~2011-08-11 10:16 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-11 10:16 andreas [this message]
2011-08-11 13:54 ` UDP Scan detection with xtables-addon psd Jan Engelhardt
2011-08-11 14:32   ` andreas
2011-08-11 16:10     ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E43AC07.4040103@geekosphere.org \
    --to=andi@geekosphere.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.