[SATLUG] help with tcpdump (grab a beer its a long post)

steve kolars bkfuth at gmail.com
Thu Feb 25 23:20:47 CST 2010


On Wed, Feb 24, 2010 at 10:18 PM, Tweeks <tweeksjunk2 at theweeks.org> wrote:

> On Monday 22 February 2010 09:39:22 am redpill wrote:
> > On Sun, 2010-02-21 at 08:31 -0600, Don Davis wrote:
> > > This is an interesting thread.
> > >
> > > What are you checking for? RST packets received right after syn
> packets?
> >
> > what I am looking for is half-open connections, which might indicate
> > that someone is doing a stealth syn scan
>
> Why not just use portsentry.. it detects stealth scans, such as
> SYN/half-open,
> FIN, NULL, XMAS, and out-of-band packets... and is very modular in nature.
>
> Unless you're doing this as a learning experince.. which I totally respect.
> ;)
>

Bingo!

Steve

>
> Tweels
>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>


More information about the SATLUG mailing list