[Snort-sigs] SID 624

Al a.hood at ...314...
Mon Mar 4 02:32:08 EST 2002


Warchild

I'd add to the false positives section:

--
False Positives:
Under certain conditions some Cisco routers (and possibly other devices) 
create SF packets, so view this rule in context of other activity (eg 
multiple connections from same host, corroborating snort alerts etc)
--

Cheers
Al


On Saturday 02 March 2002 6:25 pm, you wrote:
> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN
> FIN";flags:SF; reference:arachnids,198; classtype:attempted-recon;
> sid:624; rev:1;) 
> 
> --
> Sid:
> 624
> 
> --
> Summary:
> A tcp packet with it's SYN and FIN flags set was detected.
> 
> --
> Impact:
> Information regarding firewall rulesets, open/closed ports, ACLs, and
> possibly even OS type is possible.  This technique can also be used to
> bypass certain firewalls or traffic filtering/shaping devices.
> 
> --
> Detailed Information:
> A tcp packet with it's SYN and FIN flags set was detected.  Most
> stacks will respond with an ACK SYN indicating that the port was open,
> whereas a closed port will illicit an ACK RST.  
> 
> --
> Attack Scenarios:
> As part of information gathering leading up to another (more directed)
> attack, an attacker may attempt to figure out what ports are
> open/closed on a remote machine.
> 
> --
> Ease of Attack:
> Intermediate.  To initiate an attack of this type, an attacker either
> needs a tool that can send packets with the SYN and FIN flags set or
> the ability to craft their own packets.  The former is easy, the later
> requires a more advanced skillset.
> 
> --
> False Positives:
> None.
> 
> --
> False Negatives:
> None.
> 
> --
> Corrective Action:
> Determine if this particular port would have responded as being open
> or closed.  If open, watch for more attacks on this particular service
> or from the remote machine that sent the packet.  If closed, simply
> watch for more traffic from this host.
> 
> --
> Contributors:
> Jon Hart <jhart at ...289...>
> 
> -- 
> Additional References:
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 

-- 
The above correspondence is solely informal, and does not
constitute the views or advice of QinetiQ in any way




More information about the Snort-sigs mailing list