Scanlogd is a port scan detection tool that logs all tcp port scan attempts through syslog. This is it's sole purpose, so it's not a complete NIDS system, but rather one of it's sensors. One can look at it as a basic intrusion detection measure as most attacks begin with a port scan.

Scanlogd has it's own network packet analyzer that looks for attempts to open ports. If the attempts are within a certain treshold frequency, they get logged as attacks. This approach leads to some amount of false positves, but according to my experience quite tolerable.
Scanlogd does not use iptables and monitors even firewalled ports.

Scanlogd has also a precompiled windows binary.
http://www.openwall.com/scanlogd/contrib/scanlogd-2.2-win32.zip

 

In order to set up scanlogd on a linux system, you'll have to decide which ip network library you want to use. If you want to use raw linux sockets, you do not need to have any 3-rd party libraries installed. Otherwise you'll have to have either libpcap or libnids.

The best approach according to authors is to set up scanlogd using libnids. Libpcap is not recommended since there are some packet fragmentation issues.
In order to setup libnids you'll also have to install libnet library.




 

Download the latest version of syslogd http://www.openwall.com/scanlogd/scanlogd-2.2.6.tar.gz and run:

tar -xzf scanlogd-2.2.6.tar.gz
make libnids
 

 

Now you should have a ready to use scanlogd binary.
Scanlogd has to run as scanlogd user. This is a security measure, since the user account will be dummy:
useradd -d /dev/null -s /dev/null scanlogd


The concluding step is to edit your syslogd.conf file, add the line:
daemon.alert    /var/log/alert

and restart syslogd.

The /var/log/alert file will contain one line per port scan attempt:
Jun  6 11:17:48 hostname scanlogd: remote_ip to local_ip and others, ports 58766, 63434, 63435, 54520, ..., packet, TOS 00, TTL 64 @11:17:25