Port Scan Attack Detector
I mentioned on the show on it’s last go round that I was looking for a port scan detector for work. At least I think I mentioned it was for work…. Anyhow, long ago I used to use a program called Portsentry, which still appears to be around, but in disuse. So, I went looking around for other options. The two I ran into frequent mention for were snort, which also mentioned frequently that it was difficult to configure, and PSAD.
Well, it was PSAD that I decided on. I did a little preliminary testing this week. PSAD is easy to install, in fact, there were packages available for RedHat and Ubuntu already. It’s also very easy to configure, just edit the /etc/psad/psad.conf file. All in all I was very satisfied with this piece of software. One particular caveat, though, is beware of running it on a network with windows machines. Not that PSAD doesn’t work well, but quite the opposite. it takes considerable “tuning”, I learned, to get things running nice on a windows network because windows computers flood the network with a lot of unnecessary traffic – specifically udp traffic. Think I am kidding? Try it and see 😉