Come rilevare una scansione su un computer locale?

Scanlogd dovrebbe essere quello che stai cercando . Tuttavia, questo è orientato al TCP.

scanlogd detects port scans and writes one line per scan via the syslog(3) mechanism. If a source address sends multiple packets to different ports in a short time, the event will be logged.

Per la maggior parte delle scansioni NMap Snort e p0f sono entrambi IDS capaci. Come rilevare la scansione NMAP usando Snort è una guida sulla configurazione di Snort da rilevare: nmap -sP -p 22 192.168.1.105 tra le altre scansioni.

Ping Scan [-sP] This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping.

The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.

A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything.

When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)

The ICMP scan type can be disabled by setting -P0 (that is, zero, not uppercase o). Source

Qual è il modo più efficace per rilevare le scansioni di nmap parla ulteriormente di questo.