[Snort-devel] detecting nmap ack probes?
vision at ...195...
Sat May 12 22:45:46 EDT 2001
This might not be worth mentioning from the point of intrusion detection,
but it probably represents a bug in some way. I don't have time to look:
snort -dv '(tcp[6:2] = 0x0003)'
Understandably, I get a few false positives when running this on a busy
network. As far as I can see the only way to reliably differentiate an
nmap ack probe from other acks (without false positives galore) is by
keeping state on tcp traffic and alerting on stray acks. Watching for
0x0003 as the low bytes of the tcp seq number may be too broad.
Anyone else see a way this quirk could be used to detect the probes, or is
it just a curiosity?
More information about the Snort-devel