BACKGROUND:

This program will catch port scanners that use SYN, FIN, ACK, (whatever)
probes without actually opening up a connection. It obsoletes the old
klaxon.  In a hub/shared environment, you only need 1 tocsin process per
subnet. In a switched environment, you will benefit by having it
scatterred across a few random machines. Assumming you run it on a shared
subnet, it will catch probes on any machine on that subnet. If your
machine has multiple interfaces, it will default to the first non loopback
interface on your machine (typically hme0) but you can change this with
the -i option.

ETYMOLOGY: tocsin is a bell or group of bells rung in alarm

Compiling Options:
	None to speak of anymore. There used to be some. They're integrated
	as flags now.

INSTALLATION:

Installs with no modifications on Solaris systems.
It used to work fine on SunOS4 machines too, but I haven't tested
it there recently. It should still work though.
Change CC=cc in Makefile if you want to use the gcc compiler.

RUNNING:

After building the binary, run it followed by the list of TCP
services that you want to watch for scans. Normally this would be  services
< 32768, as services greater than this may intrude on dynamically
allocated ports that clients use and may trigger false alarms. It
will automatically detach itself and run in the background unless run
with -d flag.

options:
-d 	dump packets in hex (debug mode)
-h  this message
-i  <interface>  (header stuff is only correct for ethernet type networks
                  at the moment. qe, hme, le, ie, should all work)
-o  <outfile>    log all packets to output file in snoop v2 format
-I               Invert the filter rule (all ports EXCEPT ....)
-T               Only show TCP scans. Ignore UDP, etc.
-O               Show other things with IP_OPTIONS set in packet too
-D               Only show things to this destination network.

CAVEATS:
Using too many services may impose a performance penalty.

NOTES: 

It 'appears' that SunOS4 is limited to 7 services or less. More than
this number will cause an error: "pushing packet filter: Invalid argument"

I have not yet encountered a limit on Solaris, but my typical usage has
not included that many ports so I have not pushed the envelope.

IP_OPTIONS processing has limited support. If the packet contains any
IP_OPTIONS at all (regardless of port) it will be flagged. 
 (you still get to see normal probes with IP options set)


Example:
/path/to/tocsin courier rje supdup link 33 99 kdc psadmin pewprod 

Availability:
the primary sites for this package are:
ftp.eng.auburn.edu:pub/doug/tocsin.tar.gz
http://www.eng.auburn.edu/users/doug/second.html
http://www.cs.purdue.edu/coast (Netscape enhanced)

ACKNOWLEDGEMENTS

A great deal of thanks to Sean Boran (sean@boran.com) for help testing
on various solaris platforms and for compiling and testing the x86 port for
me as well as numerous suggestions and improvements along the way.

Also thanks to the people at secure-sol@parc.xerox.com for other suggestions.
