xmasProtect - Script used for intercept attempts of port scanning by Xmas scan.
xmasProtect RANGE EVT_BOUND RED_BOUND FILE_IP_BLOCKED NOTIFY FILTER [FREQ_EMAIL]
It is used for intercept attempts of port scanning that use the tecnic XMAS Scan. The attacker must send many package TCP with purpose of obtain informations about ports. Each package has enabled only flags FIN, URG, PSH. When is reached a particular threshold fixed in the configuration, the source ip is blocked because it's responsable of port scanning.
It is the value, in seconds, of the temporal window to analyze. If N is the value of range, the temporal window to analyze is [ NOW - N , NOW ].
It's the maximun number of times that the found event can verifies inside of temporal window(RANGE). Source ip, findable on log file, is considered responsible. At the overcoming of threshold, depending on configuration, can block source ip or simply notify what is happened. If an ip is blocked, there is also a mark of the moment in which it happens with reference to universal time (UTC) in seconds.
It is the number of seconds in which an blocked ip can't communicate through machine where is installed the program. When the redemption's source is reached, blocked ip is unlocked. The overcoming is calculated in the following way:
IF ( NOW - BLOCKING_TIME > RED_BOUNG ) UNLOCK BLOCKED IP ELSE BLOCKED IP REMAINS BLOCKED
It is used to define a complete path to file, that contains informations about blocked ip.
There are 4 kinds of notific option: MAIL, LOG, ALL, NOTHING.
It specifics the policy to adopt considering ip detected. Options accepted are: DROP and NODROP.
It specifics the attendance of send of notifics mail in seconds. It's optional and subordinate at the presence of options MAIL or LOG.
It executes script using a range of 10 seconds, 5 maximun attempts in the temporal window, 7 seconds as redention's threshold. Ip_blocked_xmasprotect is the name of the file utilized, all is the notifics typology, drop is kind of filter, and 60 is mail's frequency.
Configuration's file of the application.
DateTime - Perl Library of cpan community
sharedTail, aLid, aLid.conf
Andrea Martire (email@example.com)
Copyright © 2010 Andrea Martire <firstname.lastname@example.org>. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.