[Snort-sigs] Documentation: SID 629
alexander.s at ...1565...
Fri Jun 20 09:52:13 EDT 2003
SCAN nmap fingerprint attempt
nmap is a common port scanner and reconnaissance tool. When run with
the '-O' option, it attempts to identify the remote operating system.
Can provide useful reconnaissance information to an attacker. Has been
known to cause a denial of service on some older hosts.
nmap attempts to identify the remote operating system by looking for
different services that are common or specific to particular operating
systems. It also sends a variety of abnormal packets that are often
handled differently by different operating systems so that it can
differentiate based on the responses.
nmap is often used before an attempt to gain access to a system.
Ease of Attack:
Unknown. The signature may be produced by other scanners but is
unlikely to be used for legitimate activity.
Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set
using a firewall. Block only packets that have all four of the flags
set as they are individually and in other combinations necessary for
normal TCP traffic. If you block them individually or in other
combinations your network will not function correctly.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs