[Snort-sigs] SID-628 incorrect?

Jon Hart jhart at ...289...
Fri Feb 15 19:12:10 EST 2002


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap
TCP";flags:A;ack:0; reference:arachnids,28; classtype:attem
pted-recon; sid:628; rev:1;)

I was about to write something up for this rule, and then realized that I've
never seen it in any of my alerts.  Why?

This will get triggered if a packet's ACK field is significant and that the
ACK number is 0, right?  I can't, for the life of me, get nmap to exhibit
this behavior.  

I assumed from the msg that this should get triggered by a 'nmap -sT' or
maybe a 'nmap -sS', but that doesn't appear to be the case.  The default
nmap scan (-sT) does the icmp ping, followed by a tcp-ping, and then a syn
to see if the port is open.  The only thing that'll match part of this rule
is when the victim machine nukes the tcp-ping by sending a RST using a
sequence number corresponding to the ACK of the offending tcp-ping and an
ACK of 0.  

Am I just confused, or is this rule bound for failure?  Perhaps this was a
feature in an earlier version of nmap?  

For what its worth, when I craft my own packets (with perl, no less :) ),
and set the ACK flag and the ack# to 0, I get RSTs with both the sequence
and ack# set to 0:


02/15-22:08:05.300306 0:10:A4:99:15:B4 -> 0:0:21:E7:CA:E6 type:0x800 len:0x36
192.168.0.5:41212 -> 192.168.0.2:22 TCP TTL:230 TOS:0x0 ID:51498 IpLen:20 DgmLen:40 DF
***A**S* Seq: 0x107EBB12  Ack: 0x0  Win: 0x1452  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/15-22:08:05.300507 0:0:21:E7:CA:E6 -> 0:10:A4:99:15:B4 type:0x800 len:0x3C
192.168.0.2:22 -> 192.168.0.5:41212 TCP TTL:64 TOS:0x0 ID:14947 IpLen:20 DgmLen:40
*****R** Seq: 0x0  Ack: 0x0  Win: 0x4000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/15-22:08:14.618400 0:10:A4:99:15:B4 -> 0:0:21:E7:CA:E6 type:0x800 len:0x36
192.168.0.5:44960 -> 192.168.0.2:22 TCP TTL:203 TOS:0x0 ID:8361 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x498F1D65  Ack: 0x0  Win: 0x15E5  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/15-22:08:14.618631 0:0:21:E7:CA:E6 -> 0:10:A4:99:15:B4 type:0x800 len:0x3C
192.168.0.2:22 -> 192.168.0.5:44960 TCP TTL:64 TOS:0x0 ID:31694 IpLen:20 DgmLen:40
*****R** Seq: 0x0  Ack: 0x0  Win: 0x4000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Or am I just misunderstanding the rule?


-jon




More information about the Snort-sigs mailing list