UDP Scan detection with xtables-addon psd

UDP Scan detection with xtables-addon psd

[andreas]

Hi,

i'm working on a dynamic firewall and one sensor should be the portscan.
I want to detect port scans and forward them to the target that handles
the sensors and the blocking. So i saw that xtables-addons support
portscan with psd and lscan. As i want to scan also UDP scans i choose
psd instead of lscan.
But i can't get psd to detect nmap UDP scans. I played around with the
four values of psd but i never got the UDP scans logged. The TCP scans
are logged, at least nmap -sT, -sS, -sF, -sX, -sN are logged, -sA is
missing and so is the UDP scan with -sU.
I did not use any special nmap parameters except -P0. The machine is a
gentoo system with 2.6.38 Kernel, xtables addons 1.37 and iptables 1.4.11.1.

Does anyone know how psd can detect UDP scans? Did i miss anything?

And another question is, is the psd development stopped and do you
suggest to use lscan or do you have any other suggestion for me?

If not i guess i have to write my own modul or patch psd/lscan to get
the missing scans detected.

thanks so far and greetings from Germany,

Andi

Re: UDP Scan detection with xtables-addon psd

[Jan Engelhardt]

On Thursday 2011-08-11 12:16, andreas wrote:

>Hi,
>
>But i can't get psd to detect nmap UDP scans.
>15:08 < norg> xv7: it's the commit adabd647b1d0421f961b5cc3808128001facb9bd

Oh yeah, that is strikingly obvious. Fixed in commit v1.37-5-g6c17eb4 
(psd branch).

>And another question is, is the psd development stopped and do you
>suggest to use lscan or do you have any other suggestion for me?

psd and lscan do two different things. One statistically monitors ports 
contacted over time, while lscan looks at one connection and inspects 
the TCP handshake (or lack thereof) to reach its conclusion.

Re: UDP Scan detection with xtables-addon psd

[andreas]

On 08/11/2011 03:54 PM, Jan Engelhardt wrote:
>> On Thursday 2011-08-11 12:16, andreas wrote:
>> 
>>>> Hi,
>>>> 
>>>> But i can't get psd to detect nmap UDP scans. 15:08 < norg>
>>>> xv7: it's the commit adabd647b1d0421f961b5cc3808128001facb9bd
>> 
>> Oh yeah, that is strikingly obvious. Fixed in commit
>> v1.37-5-g6c17eb4 (psd branch).
>> 

Is working now with nmap -sU scans. Thanks.
Also Thanks for the further informations.

So still one question open. What is the reason, that ACK Scans aren't
detected (with nmap -sA $IP)?

Re: UDP Scan detection with xtables-addon psd

[Jan Engelhardt]

On Thursday 2011-08-11 16:32, andreas wrote:

>On 08/11/2011 03:54 PM, Jan Engelhardt wrote:
>>> On Thursday 2011-08-11 12:16, andreas wrote:
>>> 
>>>>> Hi,
>>>>> 
>>>>> But i can't get psd to detect nmap UDP scans. 15:08 < norg>
>>>>> xv7: it's the commit adabd647b1d0421f961b5cc3808128001facb9bd
>>> 
>>> Oh yeah, that is strikingly obvious. Fixed in commit
>>> v1.37-5-g6c17eb4 (psd branch).
>>> 
>
>Is working now with nmap -sU scans. Thanks.
>Also Thanks for the further informations.
>
>So still one question open. What is the reason, that ACK Scans aren't
>detected (with nmap -sA $IP)?

They should be classified as -m conntrack --ctstate INVALID, since they 
won't match anything preexisting.

Assuming this is not the case (e.g. due to liberal pickup of 
connections, see a similarly named sysctl), how else would you determine 
that they are not real?