[Snort-sigs] Rule to detect NMAP FIN Stealth Scan

Patrick Mullen pmullen at sourcefire.com
Mon Jul 10 13:55:08 EDT 2017


Look into the snort portscan preprocessor and enable it.

https://www.snort.org/faq/readme-sfportscan

That's a pretty odd reason to block access, though.  But, hey, ISPs are
allowed to have whatever policies they want.



Thanks,

~Patrick


On Mon, Jul 10, 2017 at 1:18 PM, Joe Magueta <joe at pcwe.ca> wrote:

> Hi all.
>
>
>
> I’m new to SNORT and have received information from my ISP that they are
> blocking my connection because there is an “NMAP FIN Stealth Scan”
> happening from my network. Is there a rule that exists already to detect
> this? If not can anyone help me setup a rule on SNORT to detect the scan
> and the device/s performing it?
>
> Any help is appreciated.
>
>
>
> Thank you.
>
>
>
> Joe
>
>
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>


-- 
Patrick Mullen
Response Research Manager
Cisco TALOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170710/c07b2e2b/attachment.html>


More information about the Snort-sigs mailing list