PortSentry is designed to detect and respond to port scans against a target host in real-time.
Compiled for BONE.
Don't run Snort and this app on the SAME PC.. They conflict. I have had it running on a PC where Snort is NOT running for a long time and it hasnt failed yet.
You'll have to play around with the conf file. I changed my 333.444.555.666 to 127.0.0.1 -blackhole .....but it's been fine so far. Email me if you need help.
Seems to work ok. Stealth detection (via UDP) is only enabled in Linux at the moment. Read all about PortSentry here.
I forgot to mention that you'll need to edit the /boot/home/config/etc/portsentry.conf file
Once you've opened it, do a search for BeOS and you'll get to here:
# KILL_ROUTE="/bin/route add $TARGET$ nm 255.255.255.255 gw 333.444.555.666 dev your_net_device"
#eg for my etherexpress:
KILL_ROUTE="/bin/route add $TARGET$ nm 255.255.255.255 gw 333.444.555.666 dev /dev/net/eepro100/0"
(if yours doesnt have the above just edit it)
Now you will have to add in your network card info. Mine is an intel etherexpress 100 so you can see where the info was in /dev/net. Change that to whatever yours is.
I have found a bug which surfaces when someone tries to connect to port 111 (the rstatd):
This is the output from Snort, and PortSentry crashes when this occurs:
[**] [1:583:1] RPC portmap request rstatd [**]
[Classification: Attempted Information Leak] [Priority: 3]
10/21-03:41:51.782423 126.96.36.199:3466 - 127.0.0.1:111
PROTO017 TTL:35 TOS:0x0 ID:23619 IpLen:20 DgmLen:84
[Xref = http://www.whitehats.com/info/IDS10]
It could be that the two products don't work together. I havent been able to test this as i have to get some tools so i can replicate this scan.
As usual i didn't write, just compiled it. For best results you probably want to get Logcheck from Psionic as well.
I have it working on BeOS and if i get enough requests i'll put it up here too.