scanlogd - detects and logs TCP port scans
scanlogd detects port scans and writes one line per scan via the
syslog(3) mechanism. If a source address sends multiple packets to
different ports in a short time, the event will be logged. The format
of the messages is:
saddr[:sport] to daddr [and others,] ports port[, port...], ...,
flags[, TOS TOS][, TTL TTL] @HH:MM:SS
The fields in square brackets are optional; sport, TOS, and TTL will
only be displayed if they were constant during the scan.
The flags field represents TCP control bits seen in packets coming to
the system from the address of the scan. It is a combination of eight
characters, with each corresponding to one of the six defined and two
reserved TCP control bits (see RFC 793). Control bits that were always
set are encoded with an uppercase letter, and a lowercase letter is
used if the bit was always clear. A question mark is used to indicate
bits that changed from packet to packet.
In order to do its job, scanlogd needs a way to obtain raw IP packets
that either come to the system scanlogd is running on, or travel across
a network segment that is directly connected to the system. Current
versions of scanlogd can be built with support for one of several
packet capture interfaces.
scanlogd is aware of the raw socket interface on Linux, libnids, and
The use of libpcap alone is discouraged. If you’re on a system other
than Linux and/or want to monitor the traffic of an entire network at
once, you should be using libnids in order to handle fragmented IP
At least 7 different privileged or 21 non-privileged ports, or a
weighted combination of those, have to be accessed with no longer than
3 seconds between the accesses to be treated as a scan. If more than 5
scans are detected within 20 seconds, that event will be logged and
logging will be stopped temporarily.
Logging is done with a facility of daemon and a priority level alert.
scanlogd should be started as root since it needs access to a packet
capture interface. By default, it chroots to /var/empty and switches
to running as user scanlogd after the packet capture interface is
If the daemon couldn’t start up successfully, it will exit with a
status of 1.
You’re expected to create a dummy user for scanlogd to run as. Make
sure you allocate unique UID and GID to the user.
In most cases, scanlogd should be started from a rc.d script on system
In /etc/syslog.conf you may use something like:
As the name indicates, scanlogd only logs port scans. It does not
prevent them. You will only receive summarized information in the
Obviously, the source address of port scans can be spoofed. Don’t take
any action against the source of attacks unless other evidence is
available. Sometimes IP addresses are shared between many people; this
is the case for ISP shell servers, dynamic dialup pools, and corporate
networks behind NAT (masquerading).
Due to the nature of port scans, both false positives (detecting a scan
when there isn’t one) and false negatives (not detecting a scan when
there’s one) are possible. In particular, false positives occur when
many small files are transferred rapidly with passive mode FTP.
Solar Designer <solar at openwall.com>
Steffen Dettmer <steffen at dett.de> wrote the initial version of this
syslog(3), syslog.conf(5), libnids(3), pcap(3)
scanlogd home page: http://www.openwall.com/scanlogd/
Phrack Magazine, issue 53, article 13