scanlogd icon indicating copy to clipboard operation
scanlogd copied to clipboard
verified publisher icon openwall

Consider changes from janw-cz's and iglov's forks

Open solardiz opened this issue 4 years ago • 4 comments

https://github.com/janw-cz/scanlogd and its further fork https://github.com/iglov/scanlogd include significant changes, the rationale for some of which is unfortunately not explained - e.g., a commit message says "Fixed libpcap support", but it's never explained what was wrong with said support - it certainly works for some as-is, without those changes. @janw-cz and @iglov could want to send properly separated and reasoned PRs in here, or/and explain the changes in here.

solardiz avatar Sep 30 '21 18:09 solardiz

Hey, @solardiz ! Sorry for a long time answer. Yep, as you can see i forked @janw-cz , just cuz there commits is newer. I have no idea what the "Fixed libpcap support" is :) And in my changes, i just added scanlogd.service and changed spec file to build scanlogd with libnids by default. So, I dont think my changes is useful and you don't need my changes in master branch :)

iglov avatar Oct 01 '21 17:10 iglov

Hi @solardiz,

I apologise for not being much descriptive in my commit comments.

I wanted to capture packets on all interfaces with libpcap. So I set the DEVICE to "any".

With the "any" device setting, the libpcap adds two bytes before the packet data to indicate interface number from which is the packet captured. I am not sure if this has changed with libpcap versions. I have Debian Bullseye (libpcap0.8 1.10.0-2) on ARM64.

With those two additional bytes, the packet was not parsed correctly and scanlogd did not work at all with libpcap and "any" device setting.

Other changes are:

  • a bugfix which is almost identical with the last commit in your repository (missing break statements inside case statement)
  • remains of my experiments when I was figuring out why does the capture work with one interface, but not with "any" (I should probably remove these changes): Replacing pcap_next with pcap_next_ex Changing the libpcap filter to pass only packets with SYN flag set.
  • I have enabled promiscuous mode, but now I believe that this is not necessary

I had thoughts about adding IPv6 support to scanlogd, so I have not invested my effort into libnids which does not support IPv6. (and is also not maintained for a long time)

BTW: I think that @iglov has improved integration of scanlogd with systemd, which is very nice, but I have not tested his changes yet.

I can cleanup and polish my changes and commit them into another repository for the pull request. My current fork is definitely not in a shape for a proper pull request, I just wanted to discuss if my changes could ever be pulled into the main scanlogd branch.

janw-cz avatar Oct 01 '21 20:10 janw-cz

That being said, I am very happy with scanlogd. I have not yet found any other port scan detection tool, which would detect SYN scan (nmap -sS). On the other hand, I am quite surprised, that scanlogd has not received much attention and popularity among the Linux community.

janw-cz avatar Oct 01 '21 20:10 janw-cz

I have made a clean clone of the openwall/scanlogd git and applied the fix for libpcap with "any" device setting. I have created a pull request with this change. During this process I have deleted my old fork, so @iglov fork lost its connection to my previous git clone.

janw-cz avatar Oct 10 '21 07:10 janw-cz