[Snort-sigs] SID 1228
warchild at ...288...
Fri Feb 15 19:38:03 EST 2002
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NMAP
XMAS";flags:FPU; reference:arachnids,30; classtype:attempted-recon;
A nmap XMAS scan was detected.
System reconnaissance that may include open/closed/firewalled ports,
Nmap sets the URG PSH and FIN bits as part of it's XMAS scan.
Typically, a closed port will respond with an ACK RST, whereas an open
port may not respond at all. However, this varies from machine to
machine, and also depends on what (if any) filtering policies are in
place between the hosts in question.
As part of information gathering that may occur before a more
dedicated attack, an attacker may choose to use nmap's XMAS scan to
determine open/closed ports.
Ease of Attack:
Trivial. Nmap is freely available to anyone who wishes to use it.
The only requirement is root/elevated privledges (the XMAS scan
requires this) and a lack of proper filtering between the two
Few, if any. The FIN PSH and URG flags should never be seen together
in normal TCP traffic.
Determine what ports may have responded as being open, and what clues
that may give an attacker relating to potential attacks.
Additionally, investigate the use of proper ingress/egress filtering.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs