[Snort-sigs] question about rule detect nmap scan

lists at ...3397... lists at ...3397...
Fri Jul 25 10:21:10 EDT 2014


On 07/25/2014 03:18 AM, Vuong D. Chieu wrote:
> 
> you can test help me rule detect scan nmap ?
> this is my rule but it is not working
> 
> alert tcp any any -> any any (sid:1000005; gid:1; flow:stateless; ack:0; flags:S; ttl:>220; priority:1; msg:"nmap scan"; classtype:network-scan; rev:1; )

This will end up matching on more than just NMAP, consider adding an MSS value
of zero as well.

Cheers,
Nathan





More information about the Snort-sigs mailing list