Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/forums/c/)
-   -   port scan detector (http://www.go4expert.com/forums/port-scan-detector-t10028/)

joeserhal 15Apr2008 04:52

port scan detector
 
Hi there,
I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual the detection of a port scan...
I have some questions regarding this:

1) How can I know if a port being scanned is "open" or not (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??)
2) Also, when I receive the packets, and I want to do a real-time/ live detection, should I only read the info in the packets and then determine whether it is an attack and discard after that the packet, OR do I have to store the packets in someway in order to use them later for the detection?? :confused:

Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?!

Thanks

pradeep 15Apr2008 10:52

Re: port scan detector
 
http://nms.lcs.mit.edu/papers/portscan-oakland04.pdf

joeserhal 17Apr2008 07:32

Re: port scan detector
 
Do you know how I can modify the attached file to determine/print the values of the flags in the TCP header (I'm talking about the FYN, SYN, RST, ACK....flags) when I receive the packets??


All times are GMT +5.5. The time now is 05:21.