[Snort-sigs] SID 1228

Warchild warchild at ...288...
Fri Feb 15 19:38:03 EST 2002

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NMAP
XMAS";flags:FPU; reference:arachnids,30; classtype:attempted-recon;
sid:1228; rev:1;) 


A nmap XMAS scan was detected.

System reconnaissance that may include open/closed/firewalled ports,

Detailed Information:
Nmap sets the URG PSH and FIN bits as part of it's XMAS scan.
Typically, a closed port will respond with an ACK RST, whereas an open
port may not respond at all.  However, this varies from machine to
machine, and also depends on what (if any) filtering policies are in
place between the hosts in question.

Attack Scenarios:
As part of information gathering that may occur before a more
dedicated attack, an attacker may choose to use nmap's XMAS scan to
determine open/closed ports.
Ease of Attack:
Trivial.  Nmap is freely available to anyone who wishes to use it.
The only requirement is root/elevated privledges (the XMAS scan
requires this) and a lack of proper filtering between the two

False Positives:
Few, if any.  The FIN PSH and URG flags should never be seen together
in normal TCP traffic.

False Negatives:

Corrective Action:
Determine what ports may have responded as being open, and what clues
that may give an attacker relating to potential attacks.
Additionally, investigate the use of proper ingress/egress filtering.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list