diff -Nur --exclude=CVS scanlogd-2.0/Makefile scanlogd-PRIV/Makefile
--- scanlogd-2.0/Makefile	Mon Feb 28 15:12:15 2000
+++ scanlogd-PRIV/Makefile	Mon Mar 20 23:17:15 2000
@@ -1,7 +1,8 @@
 CC = gcc
 LD = gcc
 RM = rm -f
-CFLAGS = -c -Wall -O2 -fomit-frame-pointer
+#CFLAGS = -c -Wall -O2 -fomit-frame-pointer
+CFLAGS = -c -Wall -O2 -fomit-frame-pointer -DPRIV_PORTS_HACK
 LDFLAGS = -s
 
 PCAP_H = -I/usr/include/pcap
diff -Nur --exclude=CVS scanlogd-2.0/params.h scanlogd-PRIV/params.h
--- scanlogd-2.0/params.h	Tue Feb 29 20:06:44 2000
+++ scanlogd-PRIV/params.h	Mon Mar 20 23:14:48 2000
@@ -63,7 +63,12 @@
  */
 #define SYSLOG_IDENT			"scanlogd"
 #define SYSLOG_FACILITY			LOG_DAEMON
-#define SYSLOG_LEVEL			LOG_ALERT
+#ifdef PRIV_PORTS_HACK
+  #define SYSLOG_LEVEL                  LOG_CRIT
+  #define SYSLOG_PRIV_PORT_LEVEL        LOG_ALERT
+#else
+  #define SYSLOG_LEVEL                  LOG_ALERT
+#endif
 
 /*
  * librlog ident, don't ask me what this is for now. ;-)
diff -Nur --exclude=CVS scanlogd-2.0/scanlogd.c scanlogd-PRIV/scanlogd.c
--- scanlogd-2.0/scanlogd.c	Tue Feb 29 20:44:43 2000
+++ scanlogd-PRIV/scanlogd.c	Mon Mar 20 23:17:06 2000
@@ -9,6 +9,18 @@
  * There's absolutely no warranty.
  */
 
+/* PRIV_PORTS_HACK: additional logging for scans of privileged ports
+ * MODIFIED <steffen@dett.de> $Revision: 1.1 $
+ * new code marked by "#ifdef PRIV_PORTS_HACK"
+ * 
+ * If there are more that SCAN_MIN_COUNT scans to privileged ports,
+ * this event is logged (different syslog level) with another message
+ */
+
+#ifdef PRIV_PORTS_HACK
+#warning "Compiling with PRIV_PORTS_HACK"
+#endif
+
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
@@ -48,6 +60,10 @@
 	int count;			/* Number of ports in the list */
 	int weight;			/* Total weight of ports in the list */
 	unsigned short ports[SCAN_MAX_COUNT - 1];	/* List of ports */
+#ifdef PRIV_PORTS_HACK
+	int priv_count;                 /* Number of priv_ports in the list */
+	unsigned short priv_ports[SCAN_MIN_COUNT];/* privileged p. */
+#endif
 	short tos;			/* TOS, if fixed */
 	unsigned char ttl;		/* TTL, if fixed */
 	unsigned char flags_or;		/* TCP flags OR mask */
@@ -88,6 +104,9 @@
 	int limit;
 	char s_saddr[32];
 	char s_daddr[32 + 8 * SCAN_MAX_COUNT];
+#ifdef PRIV_PORTS_HACK
+	char s_dpriv_ports[11 + 32 + 8 * SCAN_MIN_COUNT];
+#endif
 	char s_flags[16];
 	char s_tos[16];
 	char s_ttl[16];
@@ -124,6 +143,56 @@
 			"%u, ", (unsigned int)ntohs(info->ports[index]));
 	}
 
+#ifdef PRIV_PORTS_HACK
+	if (info->priv_count >= SCAN_MIN_COUNT - 1) {
+		/* Scanned privileged port numbers */
+		snprintf(s_dpriv_ports, sizeof(s_dpriv_ports),
+		info->daddr.s_addr ? "%s PRIVILEGED ports "
+			: "PRIVILEGED ports ",
+			inet_ntoa(info->daddr));
+
+#ifdef LOG_MAX_LENGTH
+		/* max. 6 ports, to avoid limit overflows */
+		/* with 6 we'll never get too long messages */
+		for (index = 0; 
+			index < ((info->priv_count<6) ? info->priv_count : 6);
+			index++) 
+		{
+#else
+		for (index = 0; index < info->priv_count; index++) {
+#endif
+			size = strlen(s_dpriv_ports);
+			snprintf(s_dpriv_ports + size,
+				sizeof(s_dpriv_ports) - size,
+				"%u, ",
+				(unsigned int)ntohs(info->priv_ports[index]));
+		}
+
+		/* Scanned user port numbers */
+		/* overwrite the string from non-hacked */
+		s_daddr[0]='\0'; /* maybe we have duplicates only or to long */
+		for (index = 0; index < limit; index++) {
+			size = strlen(s_daddr);
+#ifdef LOG_MAX_LENGTH
+			/* this string plus the priv port string */
+			if (size + strlen(s_dpriv_ports) >= LOG_MAX_LENGTH) {
+				limit = index;
+				break;
+			}
+#endif
+			if ( ntohs(info->ports[index]) > 1024 )
+				/* to skip priv. ports here (duplicates) */
+				snprintf(s_daddr + size,
+				sizeof(s_daddr) - size,
+				"%u, ",
+				(unsigned int)ntohs(info->ports[index]));
+		}
+	} else {
+		/* no priv ports in list (empty) */
+		s_dpriv_ports[0]='\0';
+	}
+#endif /* PRIV_PORTS_HACK */
+
 /* TCP flags: lowercase letters for "always clear", uppercase for "always
  * set", and question marks for "sometimes set". */
 	for (index = 0; index < 8; index++) {
@@ -151,6 +220,9 @@
 /* Check against the length limit, and possibly re-format everything */
 #ifdef LOG_MAX_LENGTH
 	if (strlen(s_saddr) + strlen(s_daddr) +
+#ifdef PRIV_PORTS_HACK
+	    strlen(s_dpriv_ports) + 
+#endif
 	    strlen(s_tos) + strlen(s_ttl) + strlen(s_time) +
 	    (4 + 5 + 8 + 2) > LOG_MAX_LENGTH) {
 		if (--limit > 0) goto prepare;
@@ -158,6 +230,25 @@
 #endif
 
 /* Log it all */
+#ifdef PRIV_PORTS_HACK
+	if (info->priv_count >= SCAN_MIN_COUNT - 1) {
+	/* triggered by to many priv-ports (and not by weight) */
+		 syslog(SYSLOG_PRIV_PORT_LEVEL,
+			  strlen(s_daddr) == 0 ?
+			  "%s to %s...,%s %s%s%s @%s" :
+			  "%s to %s..., %s..., %s%s%s @%s",
+			  s_saddr, s_dpriv_ports, s_daddr, s_flags, s_tos,
+			  s_ttl, s_time);
+#ifdef USE_RLOG
+		 rlog(
+			  strlen(s_daddr) == 0 ?
+			  "%s to %s...,%s %s%s%s @%s" :
+			  "%s to %s..., %s..., %s%s%s @%s",
+			  s_saddr, s_dpriv_ports, s_daddr, s_flags, s_tos,
+			  s_ttl, s_time);
+#endif
+	} else {
+#endif
 	syslog(SYSLOG_LEVEL,
 		"%s to %s..., %s%s%s @%s",
 		s_saddr, s_daddr, s_flags, s_tos, s_ttl, s_time);
@@ -167,6 +258,9 @@
 		"%s to %s..., %s%s%s @%s",
 		s_saddr, s_daddr, s_flags, s_tos, s_ttl, s_time);
 #endif
+#ifdef PRIV_PORTS_HACK
+	}
+#endif
 }
 
 /*
@@ -258,8 +352,14 @@
 		current->timestamp = now;
 
 /* Logged this scan already? Then leave. */
+#ifdef PRIV_PORTS_HACK
+		/* maybe we have logged weight and priv_port alert already */
+		if ( (current->weight >= SCAN_WEIGHT_THRESHOLD) 
+	 	  && (current->priv_count > SCAN_MIN_COUNT) ) return;
+#else
 		if (current->weight >= SCAN_WEIGHT_THRESHOLD) return;
-
+#endif
+ 
 /* Update the TCP flags */
 		current->flags_or |= flags;
 		current->flags_and &= flags;
@@ -274,6 +374,25 @@
 		if (current->ttl != ip->ip_ttl)
 			current->ttl = 0;
 
+#ifdef PRIV_PORTS_HACK
+/* Remember in list of privileged ports and log */
+		if ( ntohs(port) < 1024 ) {
+			if (current->priv_count < SCAN_MIN_COUNT) {
+				current->priv_ports[current->priv_count++] 
+					= port;
+			} 
+			if (current->priv_count == SCAN_MIN_COUNT) {
+				safe_log(current);
+				/* Alert logged: no need for weight log */
+				current->weight = SCAN_WEIGHT_THRESHOLD;
+				current->priv_count++;
+				return;
+			}
+		}
+		/* did we logged already (weight) ? */
+		if (current->weight >= SCAN_WEIGHT_THRESHOLD) return;
+#endif
+
 /* Update the total weight */
 		current->weight += (ntohs(port) < 1024) ?
 			PORT_WEIGHT_PRIV : PORT_WEIGHT_HIGH;
@@ -355,6 +474,11 @@
 	current->weight = (ntohs(port) < 1024) ?
 		PORT_WEIGHT_PRIV : PORT_WEIGHT_HIGH;
 	current->ports[0] = port;
+#ifdef PRIV_PORTS_HACK
+	current->priv_count = 0;
+	if ( ntohs(port) < 1024)
+		current->priv_ports[current->priv_count++] = port;
+#endif
 	current->tos = ip->ip_tos;
 	current->ttl = ip->ip_ttl;
 	current->flags_or = current->flags_and = flags;