 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
 |
||
WARNING: This information has not been updated since October, 1997!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEX ENTRY FOR COURTNEY:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Name: Courtney - Detects SATAN probes
Version: 1.3
Author(s): Marvin J. Christensen <mjchristensen@vnet.ibm.com>
Ftp source: ciac.llnl.gov:/pub/ciac/sectools/unix/courtney/
Description:
Courtney monitors the network and identifies the source machines
of SATAN probes/attacks. Courtney receives input from tcpdump
counting the number of new services a machine originates within a
certain time window. If one machine connects to numerous services
within that time window, Courtney identifies that machine as a
potential SATAN host.
Courtney is based on the fingerprint of any scanner, including
SATAN. Scanners probe every port, or at least the more common
ports, attempting to gather information about what services the
target machine offers. If one machine connects to numerous
services within a brief time period, then that machine may be
doing some sort of scanning.
-- Adapted from the 1.3 README file
Advertised architectures:
Not stated, but should run wherever Perl 5 and tcpdump run.
Prerequisites:
Courtney requires that Perl v.5, libpcap, and tcpdump be installed.
They are available via anonymous FTP at the following sites:
libpcap-0.0 ftp.ee.lbl.gov:/libpcap-0.0.tar.Z
tcpdump-3.0 ftp.ee.lbl.gov:/tcpdump-3.0.tar.Z
perl5 ftp.uu.net:/systems/gnu/perl5.001.tar.gz
Note that all of these packages are included on the UNIX System
Administration Handbook CD-ROM. libpcap is included in the tcpdump.tar
wrapper file.
