detecting a portscanner

We've got a customer who is running some sort of web-app and probing port 1080 on other networks. We know it's a web-app because the source IP in reports from other providers have all pointed at webservers with no shell access.

I am looking for ways to detect this user and not coming up with anything so far. Any good ideas? Some way to use tcpdump or netstat perhaps?

 

 

 

 

Top