DoS Detector


DoSDetector analyze and detect suspicious traffic from IP and alert about it.
It can detect worm traffic, SYN flood, icmp flood, udp flood etc...
It's configurable via set of rules which have some points assigned to IP by matching rule.
When IP exceed points limit, dosdotector print warning.

Authors:

Krzysztof Pawlowski - Author & Developer
Bartosz Ponurkiewicz - Developer

Sources:

dosdetector-20050605.tar.gz162690 bytes June 05 2005 23:58:38Downloads :
dosdetector-20050612.tar.gz162792 bytes June 12 2005 02:25:11Downloads :
dosdetector-20050616.tar.gz162903 bytes June 16 2005 20:09:04Downloads :
dosdetector-20050701.tar.gz163526 bytes July 01 2005 08:44:31Downloads :
dosdetector-20050709.tar.gz164140 bytes July 09 2005 15:40:24Downloads :
dosdetector-20050711.tar.gz164157 bytes July 11 2005 08:41:02Downloads :
dosdetector-20060101.tar.gz164422 bytes January 01 2006 17:46:40Downloads :
dosdetector-20060103.tar.gz164440 bytes January 03 2006 14:51:48Downloads :
dosdetector-20060203.tar.gz164540 bytes February 03 2006 13:38:45Downloads :
dosdetector-20060621.tar.gz164768 bytes June 21 2006 10:33:44Downloads :
dosdetector-current.tar.gz164768 bytes June 20 2006 13:49:48Downloads :

ChangeLog:

version current (20/06/2006:
* Fix ipfilter redirector rules
* Basic detection of mail worms and viruses
* Add support for generating firewall rules to block traffic from infected
host
* Change ipnat redirector target to ipfilter
* Fix random behaviour with -T option ( timeout )
* Add checking if incoming packet is not from our IP
* Fixed rules matching when device is ppp
* Added verbose mode ( -v option )
* Add redirector output ( -R and -o options )
* Fix -T options when selecting time without suffix
* Detect Skydance Trojan V2.x
* Add quiet mode. Print only critical IP without score
* Fix compile on FreeBSD sparc architecture
* -C (net/mask) - counts points only for IP from this class
* -p counts points only for IP from private network classes
* Detect Spida worm ( SYN flood on port 1433 )
* Detect sql worm ( SYN flood on port 3306 )
* -T exit after seconds
* -P exit after receiving packets
* Optimization of tree normalization routines. Performance highly
increase.
* Fix broken netmask code in get_ip()
* Compile on FreeBSD
* First working version

TODO:

If you have some ideas, features request don't hesitate to contact me.
msciciel@darkzone.ma.cx
or second developer:
cz00bek@wp.pl
If you find some bugs We will be also grateful if you inform us about them :).