1

I am running scanlogd to detect port scans. I have observed the following to generate a log message in /var/log/syslog.

  • When I use zenmap (nmap gui) to port scan this system from another computer on the same subnet
  • Using nmap to scan the system from the loalhost using destination as 127.0.0.1
  • Using nmap to scan the system from the loalhost using the external IP as the destination.
  • From my phone on a different subnet in the same organization (A University).

/var/log/syslog:

Aug 16 15:38:59 LIVE272675 scanlogd: 208.75.19.79 to 208.75.19.139 ports 22, 17500, 256, 135, 143, 113, 53, ..., ?????uxy, TOS 00 @14:57:26
Aug 16 15:40:20 LIVE272675 scanlogd: 127.0.0.1 to 127.0.0.1 ports 6010, 6011, 48153, 49681, 52321, 33819, 60076, ..., ?????uxy, TOS 00, TTL 64 @16:24:06
Aug 16 15:41:13 LIVE272675 scanlogd: 208.75.19.139 to 208.75.19.139 ports 80, 443, 993, 143, 256, 1720, 8080, 1723, ..., fSrpauxy, TOS 00, TTL 64 @20:41:13
Aug 16 15:49:07 LIVE272675 scanlogd: 208.75.243.17 to 208.75.19.139 ports 1, 2, 3, 7, 9, 11, ..., fSrpauxy, TOS 00, TTL 63 @20:49:07

However, scanning this machine from a machine outside the organization network did not generate any logs, even though the scans detected the ports that were open and the services that were running on the system correctly. Have I got some settings wrong? Or is this something that is expected?

Why is scanlogd missing the scans? Is there a way to detect all port scans?

Lord Loh.
  • 1,089
  • 3
  • 16
  • 25
  • 1
    Is there a network firewall? Is it only permitting connections to legitimate services? If you run `tcpdump` on your host during the scan, do you see the traffic you expect? – larsks Aug 17 '13 at 01:54

1 Answers1

0

here they say the following:

The goal of scanlogd is not to detect all port scans but instead to detect as many port scans as possible while still being reliable enough. Scanlogd writes one line per scan using the syslog(3) mechanism. It also logs when a source address sends many packets to several different ports in a short amount of time. Because scanlogd is only meant to detect scans, it is totally safe to run on your system. It must have access to raw IP packets to function, and can capture packets coming in and out of the system interface, or across the network to which the system is attached.

Badr Elmers
  • 266
  • 2
  • 6