[SATLUG] help with tcpdump (grab a beer its a long post)
tweeksjunk2 at theweeks.org
Wed Feb 24 22:18:15 CST 2010
On Monday 22 February 2010 09:39:22 am redpill wrote:
> On Sun, 2010-02-21 at 08:31 -0600, Don Davis wrote:
> > This is an interesting thread.
> > What are you checking for? RST packets received right after syn packets?
> what I am looking for is half-open connections, which might indicate
> that someone is doing a stealth syn scan
Why not just use portsentry.. it detects stealth scans, such as SYN/half-open,
FIN, NULL, XMAS, and out-of-band packets... and is very modular in nature.
Unless you're doing this as a learning experince.. which I totally respect. ;)
More information about the SATLUG