Name: Courtney
 
Date: 3/31/95
Version: 1.2
 
Description:
 
Monitors the network and identifies the source machines of SATAN
probes/attacks. Courtney receives input from tcpdump counting the
number of new services a machine originates within a certain time
window. If one machine connects to numerous services within that
time window, courtney identifies that machine as a potential SATAN
host.

 
Requirements:
 
Courtney requires that Perl v.5, libpcap, and tcpdump be installed. 
They are available via anonymous FTP at the following sites:
 
   libpcap-0.0   ftp.ee.lbl.gov:/libpcap-0.0.tar.Z
   tcpdump-3.0   ftp.ee.lbl.gov:/tcpdump-3.0.tar.Z
   perl5         ftp.uu.net:/systems/gnu/perl5.001.tar.gz
 

Courtney configuration variables:
 
  $UPDATE_INTERVAL
     Specifies the time, in minutes, to update the host information.
  $OLD_AGE
     When updating host information, gets rid of host entries that
     have timestamps older that OLD_AGE.
  $HIGH_THRESHOLD
     What number of services a single system must achieve before it
     is considered the source of a HEAVY_ATTACK
  $LOW_THRESHOLD
     What number of services a single system must achieve before it
     is considered the source of a NORMAL_ATTACK
  $DEBUG
     Prints a bunch of stuff.
  $MONITOR
     Only prints out the host count. Used for watching the hosts and
     activity.
  $SYSLOG
     Log attack warnings via syslog (default).
  $SCREEN
     Log attack warnings to stdout.

 
Design:
 
Courtney is based on the fingerprint of any scanner, including SATAN.
Scanners probe every port, or at least the more common ports,
attempting to gather information about what services the target
machine offers. If one machine connects to numerous services within a
brief time period, then that machine may be doing some sort of scanning.

 
Limitations:
 
Since courtney's input is from tcpdump, the filter for tcpdump must
coincide with courtney. There are 30 services that are being
monitored, if you wish to remove or add one, you must make changes to 
courtney's perl script where the tcpdump filter lines are located.

When monitoring busy networks or monitoring on a slower system, some
network traffic may be missed by the kernel.  This has the potential
to cause courtney to fail to detect some attacks.

tcpdump and the logger program must be in the ENV{'PATH'} listing at the
top of the courtney.pl script for this script to operate properly.
