[SATLUG] help with tcpdump (grab a beer its a long post)

Tweeks tweeksjunk2 at theweeks.org
Wed Feb 24 22:18:15 CST 2010


On Monday 22 February 2010 09:39:22 am redpill wrote:
> On Sun, 2010-02-21 at 08:31 -0600, Don Davis wrote:
> > This is an interesting thread.
> >
> > What are you checking for? RST packets received right after syn packets?
>
> what I am looking for is half-open connections, which might indicate
> that someone is doing a stealth syn scan

Why not just use portsentry.. it detects stealth scans, such as SYN/half-open, 
FIN, NULL, XMAS, and out-of-band packets... and is very modular in nature. 

Unless you're doing this as a learning experince.. which I totally respect. ;)

Tweels



More information about the SATLUG mailing list