Release 0.5.1, 08-04-2010

Fixes in TCP full-connect scan detection

Better logging functions

License changed to GPL v2.0

Moving repository to Github, 27-07-2013

Check http://opensource.org/licenses/BSD-3-Clause

Introduction

------------

This package provides "Pyscanlogd", a port-scanning

detection tool entirely written in Python. PyScanLog

is inspired by scanlogd {http://www.openwall.com/scanlogd}.

Licensing

---------

The code is released under New BSD License.

Dependencies

------------

The code is dependent upon pypcap and dpkt. However there

are problems with automatic installation of these packages

through setup.py, so they are not added as dependencies

into setup.py.

Instead either use your system's package manager to

install the dependencies or visit their respective

project pages to build from the latest source tarball.

pypcap: https://code.google.com/p/pypcap/

dpkt: http://code.google.com/p/dpkt/

In Ubuntu, these dependencies can be installed by

$ sudo apt-get install python-pcap python-dpkt

Installation

------------

$ sudo python setup.py install

Usage

-----

To run with default options just run the tool as root.

All scans are logged to the console.

$ sudo pyscanlogd

listening on eth0:

[2010-03-17 16:41:06]: TCP syn scan (flags:6) from 172.16.220.124 to 172.16.220.214 (ports:143,199,5900,256,111,1723,21,25,554,80,22)

To log to a file pass the "-f" option.

To run as daemon pass the "-d" option.

Note: When running as daemon, if -f option is not provided,

no output is printed to stdout.

$ sudo pyscanlogd -d -f "/var/log/scanlogd.log"

Daemonizing...

$ listening on eth0:

Currently there is no option to a specific interface.

By default pyscanlogd listens to the active interface

in promiscous mode.

class ScanEntry(object):

""" Port scan entry """

def __init__(self, hash):

self.src = 0

self.dst = 0

self.zombie = 0

self.timestamp = 0

self.timediffs = []

# Average of time-stamps

self.time_avg = 0.0

# Standard deviation in time-stamps

self.time_sd = 0.0

self.logged = False

self.type = ''

self.flags_or = 0

# SCTP

self.chunk_type = 0

self.weight = 0

self.ports = []

self.proto = 0

self.next = None

self.hash = hash

def update_time_sd(self):

""" Update standard deviation of time differences """

num = float(len(self.timediffs))

if num>0:

mean = 1.0*sum(self.timediffs)/num

sd = pow(sum([pow((x - mean), 2) for x in self.timediffs])/num, 0.5)

self.time_sd = sd

self.time_avg = mean

class EntryLog(dict):

""" Modified dictionary class with fixed size, which

# This will work only if the value is an object storing

# its key in the 'hash' attribute and links to other

# objects usin the 'next' attribute.

def __init__(self, maxsz):

self.oldest = None

self.last = None

self.maxsz = maxsz

super(EntryLog, self).__init__()

def __setitem__(self, key, value):

if not self.__contains__(key) and len(self)==self.maxsz:

# Remove oldest

if self.oldest:

self.__delitem__(self.oldest.hash)

self.oldest = self.oldest.next

super(EntryLog, self).__setitem__(key,value)

if self.last:

self.last.next = value

self.last = value

else:

self.last = value

self.oldest = self.last

class RecentScanEntry(object):

""" Recent scan entry class, storing

def __init__(self, scan, is_scan=True):

self.src = scan.src

self.dst = scan.dst

self.zombie = scan.zombie

self.type = scan.type

self.flags_or = scan.flags_or

self.ports = scan.ports[:]

self.timestamp = scan.timestamp

self.is_scan = is_scan

def __eq__(self, entry):

return ((self.src==entry.src) and (self.dst==entry.dst) and \

(self.type==entry.type))