[Snort-sigs] SID 625
warchild at ...288...
Fri Feb 15 18:30:02 EST 2002
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN
classtype:attempted-recon; sid:625; rev:1;)
A TCP packet with all of the (unreserved) control bits set was
detected as being destined for your machine.
System recon. Different operating-systems will respond in different
ways depending on their particular stack implementation. This allows
attackers to determine things such as open/closed ports, ACLs, and the
The ACK, FIN, PSH, RST, SYN, and URG control bits were set in a TCP
As part of a recon mission that may be an indicator to upcoming
attacks, an attacker may attempt to determine what ports are listening
on a given machine by sending a TCP packet with all of its control
bits "lit up", hence the name XMAS scan -- its "lit up like a
Ease of Attack:
Trivial. Many of the popular portscanners/vulnerability testers, most
notably nmap, allow anyone to inititiate an XMAS scan.
This combination of flags should never be seen in "normal" activity,
so the chances of false positives are slim to none.
Determine what information an attacker may have gleaned from this
attack. Would your ports show as open or closed? Consider
implementing a stateful firewall on the victim machine, or at ingress
points on your network.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs