Name: Courtney Date: 3/31/95 Version: 1.2 Description: Monitors the network and identifies the source machines of SATAN probes/attacks. Courtney receives input from tcpdump counting the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host. Requirements: Courtney requires that Perl v.5, libpcap, and tcpdump be installed. They are available via anonymous FTP at the following sites: libpcap-0.0 ftp.ee.lbl.gov:/libpcap-0.0.tar.Z tcpdump-3.0 ftp.ee.lbl.gov:/tcpdump-3.0.tar.Z perl5 ftp.uu.net:/systems/gnu/perl5.001.tar.gz Courtney configuration variables: $UPDATE_INTERVAL Specifies the time, in minutes, to update the host information. $OLD_AGE When updating host information, gets rid of host entries that have timestamps older that OLD_AGE. $HIGH_THRESHOLD What number of services a single system must achieve before it is considered the source of a HEAVY_ATTACK $LOW_THRESHOLD What number of services a single system must achieve before it is considered the source of a NORMAL_ATTACK $DEBUG Prints a bunch of stuff. $MONITOR Only prints out the host count. Used for watching the hosts and activity. $SYSLOG Log attack warnings via syslog (default). $SCREEN Log attack warnings to stdout. Design: Courtney is based on the fingerprint of any scanner, including SATAN. Scanners probe every port, or at least the more common ports, attempting to gather information about what services the target machine offers. If one machine connects to numerous services within a brief time period, then that machine may be doing some sort of scanning. Limitations: Since courtney's input is from tcpdump, the filter for tcpdump must coincide with courtney. There are 30 services that are being monitored, if you wish to remove or add one, you must make changes to courtney's perl script where the tcpdump filter lines are located. When monitoring busy networks or monitoring on a slower system, some network traffic may be missed by the kernel. This has the potential to cause courtney to fail to detect some attacks. tcpdump and the logger program must be in the ENV{'PATH'} listing at the top of the courtney.pl script for this script to operate properly.