Detect Topera IPv6 scans when IP options are logged
authorMichael Rash <mbr@cipherdyne.org>
Fri, 21 Dec 2012 02:06:46 +0000 (21:06 -0500)
committerMichael Rash <mbr@cipherdyne.org>
Fri, 21 Dec 2012 02:06:46 +0000 (21:06 -0500)
commit574d31aff2702412d78016d509beedf8e866b7db
tree57ecc40b4a007e246ae7fe63d3b5ffbf94441592
parentbd89cfbad0cdc4540f1b983811e40803b8fa29b9
Detect Topera IPv6 scans when IP options are logged

Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule.  When this option is not used, the previous                                                                                                                        psad-2.2 release detected Topera scans.  An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note                                                                                                                        the series of empty IP options strings "OPT ( )":

    Dec 20 20:10:40 rohan kernel: [  488.495776] DROP IN=eth0 OUT=                                                                                                                                 MAC=00:1b:b9:76:9c:e4:00:13:46:3a:41:36:86:dd
    SRC=2012:1234:1234:0000:0000:0000:0000:0001                                                                                                                                                    DST=2012:1234:1234:0000:0000:0000:0000:0002 LEN=132 TC=0 HOPLIMIT=64
    FLOWLBL=0 OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( ) OPT ( )                                                                                                                              OPT ( ) OPT ( ) PROTO=TCP SPT=61287 DPT=1 WINDOW=8192 RES=0x00 SYN
    URGP=0
ChangeLog
psad
test/scans/iptables/topera_ipv6_syn_scan_no_ip_opts [new file with mode: 0644]
test/scans/iptables/topera_ipv6_syn_scan_with_ip_opts [new file with mode: 0644]
test/test-psad.pl