[Snort-sigs] Documentation: SID 629

Steven Alexander alexander.s at ...1565...
Fri Jun 20 09:52:13 EDT 2003


SCAN nmap fingerprint attempt



nmap is a common port scanner and reconnaissance tool.  When run with
the '-O' option, it attempts to identify the remote  operating system.


Can provide useful reconnaissance information to an attacker.  Has been
known to cause a denial of service on some older  hosts.

Detailed Information:

nmap attempts to identify the remote operating system by looking for
different services that are common or specific to  particular operating
systems.  It also sends a variety of abnormal packets that are often
handled differently by different  operating systems so that it can
differentiate based on the responses.

Affected Systems:


Attack Scenarios:

nmap is often used before an attempt to gain access to a system.  

Ease of Attack:
Very Simple

False Positives:

Unknown.  The signature may be produced by other scanners but is
unlikely to be used for legitimate activity.

False Negatives:

None known.
Corrective Action:

Block any TCP packets that have the SYN, FIN, PUSH and URGENT flags set
using a firewall.  Block only packets that have all  four of the flags
set as they are individually and in other combinations necessary for
normal TCP traffic.  If you block them  individually or in other
combinations your network will not function correctly.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:


More information about the Snort-sigs mailing list