Courtney

Note the courtney.pl shell script expects perl to reside in /bin and that tcpdump is in your PATH. Edit courtney.pl as necessary.

Name: Courtney

Date: 4/07/95 Version: 1.3

Description:

Monitors the network and identifies the source machines of SATAN probes/attacks. Courtney receives input from tcpdump counting the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host.

Requirements:

Courtney requires that Perl v.5, libpcap, and tcpdump be installed. They are available via anonymous FTP at the following sites:

 
   libpcap-0.0   ftp.ee.lbl.gov:/libpcap-0.0.tar.Z
   tcpdump-3.0   ../tcpdump-3.0.4 on this distribution
   perl5         ../../inst/perl on this distribution
 

Courtney configuration variables:
 
  $UPDATE_INTERVAL
     Specifies the time, in minutes, to update the host information.
  $OLD_AGE
     When updating host information, gets rid of host entries that
     have timestamps older that OLD_AGE.
  $HIGH_THRESHOLD
     What number of services a single system must achieve before it
     is considered the source of a HEAVY_ATTACK
  $LOW_THRESHOLD
     What number of services a single system must achieve before it
     is considered the source of a NORMAL_ATTACK

Command line options:

  [-i ]  
     Change default interface for tcpdump.
  [-d]              
     Turn debug on, this is major verbose.
  [-l]              
     Turn syslog logging off. Default is to output alerts
     to syslog via logger.
  [-s]              
     Turn screen output on. Prints the same information that
     is sent to syslog is also printed on the screen.
  [-c]              
      Show the hostname that has initiated connections. This
      option is good for watching the network. Does not require
      the -s option.
  [-m <address>]    
      Enables email and mails alerts to user@host. The subject 
      line contains the same information that syslog records.
  [-h]              
      Print command line options.

Design:

Courtney is based on the fingerprint of any scanner, including SATAN. Scanners probe every port, or at least the more common ports, attempting to gather information about what services the target machine offers. If one machine connects to numerous services within a brief time period, then that machine may be doing some sort of scanning.

Limitations:

Since courtney's input is from tcpdump, the filter for tcpdump must coincide with courtney. There are 30 services that are being monitored, if you wish to remove or add one, you must make changes to courtney's perl script where the tcpdump filter lines are located.

When monitoring busy networks or monitoring on a slower system, some network traffic may be missed by the kernel. This has the potential to cause courtney to fail to detect some attacks.

tcpdump and the logger program must be in the ENV{'PATH'} listing at the top of the courtney.pl script for this script to operate properly.

Email uses the "Mail" command which must be in the ENV{'PATH'} listing and must also support the -s (subject) option.

For OSF/1 DIGITAL UNIX systems, tcpdump has some problems. Read the INSTALL file for details.

Legal Stuff

THIS SOFTWARE IS PROVIDED BY THE THE SANTA CRUZ OPERATION ("SCO") ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SCO BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

- THE END -