Background:
This program will catch port scanners that use SYN probes without
actually opening up a connection. It works as a good supplement
to klaxon. You only need 1 tocsin process per subnet. Assumming you
run it on a shared subnet, it will catch probes on any machine on
that subnet. If your machine has multiple subnets, it will default
to le0, but you can change that with the -i option.

Etymology: tocsin is a bell or group of bells rung in alarm

Compiling Options:
	-DTCP_ONLY uncomment this in Makefile if want to see only TCP packets
	-DSYN_ONLY may be used in combination either/or with TCP_ONLY.
			   Only shows SYN probes. Not very useful on non-IP packets.
	-DNO_IP_OPTIONS do not flag packets with IP_OPTIONS set in header
	-DDEST_ONLY onlys show packets to this local subnet

Installation:
Installs with no modifications on Solaris and SunOS systems.
Tested on 4.1.3_U1B and Solaris 2.5/2.4. Requires an ANSI C compiler
Change CC=cc in Makefile if you want to use the gcc compiler.

Running:
After building the binary, run it followed by the list of TCP
services that you want to watch for scans. This should be services
< 1024 or 512, as services greater than this may intrude on dynamically
allocated ports that clients use and may trigger false alarms. It
will automatically detach itself and run in the background.

options:
-d 	dump packets in hex (debug mode)
-h  this message
-i  <interface>  (header stuff is only correct for ethernet type networks
                  at the moment. qe, hme, le, ie, should all work)
-o  <outfile>    log all packets to output file in snoop v2 format

Using too many services may impose a performance penalty. 8 or less
should suffice to catch a port scanner in any event. All services
are installed using the pfmod/nit_pf facility of the kernels for
Solaris and SunOS respectively. The more services you add, the more
of your CPU time this process will use.

NOTES: 

It 'appears' that SunOS is limited to 7 services or less. More than
this number will cause an error: "pushing packet filter: Invalid argument"

IP_OPTIONS processing has limited support. If the packet contains any
IP_OPTIONS at all (regardless of port) it will be flagged. You can disable
this with -DNO_IP_OPTIONS in the Makefile (you'll see it).
 (you still get to see normal probes with options set, you just don't
  get every packet that has options set)
It will only display the first IP_OPTION. Getting all options would be
too big a pain in the but when you can just examine the raw packet with
another program anyway.


Example:
/path/to/tocsin courier rje supdup link 33 99 kdc psadmin pewprod 

Availability:
the primary sites for this package are:
ftp.eng.auburn.edu:pub/doug/tocsin.tar.gz
http://www.eng.auburn.edu/users/doug/second.html
http://www.cs.purdue.edu/coast (Netscape enhanced)