Around the year 2000-2002 (back in the days when Snort was still super young (and I haven’t heard of it yet), I decided to write a small network traffic analyser, which could serve as a “poor man’s intrusion detection system”. It was basically a C daemon configured with a ini-like configuration file, watching for network events. If I remember correctly, I wanted a way to detect the (then pretty new and fancy) nmap stealth scan mechanisms (like half open, xmas, etc), and counter them w...
