[Snort-devel] detecting nmap ack probes?

Max Vision vision at ...195...
Sat May 12 22:45:46 EDT 2001


Hi,

This might not be worth mentioning from the point of intrusion detection,
but it probably represents a bug in some way.  I don't have time to look:

  snort -dv '(tcp[6:2] = 0x0003)'

Understandably, I get a few false positives when running this on a busy
network.  As far as I can see the only way to reliably differentiate an
nmap ack probe from other acks (without false positives galore) is by
keeping state on tcp traffic and alerting on stray acks.  Watching for
0x0003 as the low bytes of the tcp seq number may be too broad.

Anyone else see a way this quirk could be used to detect the probes, or is
it just a curiosity?

Max Vision
http://whitehats.com/






More information about the Snort-devel mailing list