Background:
This program will catch port scanners that use SYN probes without
actually opening up a connection. It works as a good supplement
to klaxon. You only need 1 tocsin process per subnet. Assumming you
run it on a shared subnet, it will catch probes on any machine on
that subnet. If your machine has multiple subnets, it will default
to le0, but you can change that with the -i option.

Etymology: tocsin is a bell or group of bells rung in alarm

Installation:
Installs with no modifications on Solaris and SunOS systems.
Tested on 4.1.3_U1B and Solaris 2.5/2.4. Requires an ANSI C compiler
Change CC=cc in Makefile if you want to use the gcc compiler.

Running:
After building the binary, run it followed by the list of TCP
services that you want to watch for scans. This should be services
< 1024 or 512, as services greater than this may intrude on dynamically
allocated ports that clients use and may trigger false alarms. It
will automatically detach itself and run in the background.

Using too many services may impose a performance penalty. 8 or less
should suffice to catch a port scanner in any event. All services
are installed using the pfmod/nit_pf facility of the kernels for
Solaris and SunOS respectively. The more services you add, the more
of your CPU time this process will use.

NOTE: It appears that SunOS is limited to 7 services or less. More than
this number will cause an error: "pushing packet filter: Invalid argument"

Example:
/path/to/tocsin courier rje supdup link kdc psadmin pewprod