Everhart, Glenn
From:	Patrick Gilbert [gilbert@PGCI.CA]
Sent:	Wednesday, December 16, 1998 6:22 PM
To:	BUGTRAQ@NETSPACE.ORG
Subject:	Detecting the "undetectable".
Like many system administrators, paranoia comes as a sixth sense. They
don't
like their networks prodded or probed by outsiders; this would be like
bursting in
their office while they are taking their coffee and groping them.

So, after having my fun with nmap-2.00, I decided to conjure something
that
will monitor for this type of  network reconnaissance.

The monitor works with tcpdump, and perl provides flexibilty. Feel free
to improve on it, and mail me a copy. You must provide the network to
monitor
and ports to exclude and you can also add filters for larger networks.

Here are a few suspicious packets it looks out for, with added features
you can
read about and grab the source at http://www.pgci.ca/syn.html

icmp packets (you can add filters), udp packets (same) , TCP packets
with no ACK , Fragmented IP packets, IP packets with options, Packets
with X.X.X.255 destination, Packets with X.X.X.0 destination.

Cheers,
--
Patrick Gilbert
PGCI
Inc.
http://www.pgci.ca
Montreal (QC), Canada CE AB B2 18 E0 FE C4 33  0D 9A AC 18 30 1F D9 1A