Fw: [Snort-users] False PING NMAP TCP

Jim Forster jforster at ...176...
Fri Aug 4 12:30:01 EDT 2000


Oooops... Meant to shoot this one to the list.  :P

----- Original Message ----- 
From: "Jim Forster" <jforster at ...176...>
To: "Laurie Zirkle" <lat at ...214...>
Sent: Friday, August 04, 2000 10:23 AM
Subject: Re: [Snort-users] False PING NMAP TCP


> Laurie,
> The newer rulesets have an updated rule for this alert.  (Credits to Max
> Vision on the update)
> alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS28 - PING NMAP
> TCP";flags:A;ack:0;)
> Thanks.
> 
> Jim Forster
> Network Administrator
> RapidNet / DakotaConnect
> 
> When I'm feeling down, I like to whistle.
> It makes the neighbor's dog run to the end of his chain and gag himself.
> 
> ----- Original Message -----
> From: "Laurie Zirkle" <lat at ...214...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Friday, August 04, 2000 9:57 AM
> Subject: [Snort-users] False PING NMAP TCP
> 
> 
> > I'm starting to see more false alerts from the PINP NMAP TCP alert
> > from the rules at www.snort.org.  In particular, load-balancing is
> > being flagged as PING NMAP TCP.  Any chance of getting a better rule
> > for this?  Here's one example:
> >
> > Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP:
> 205.128.11.157:80 -> z.y.w.98:53
> > Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP:
> 205.128.11.157:53 -> z.y.w.98:53
> > ------
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/04-08:41:59.180096 205.128.11.157:80 -> z.y.w.98:53
> > TCP TTL:44 TOS:0x0 ID:37618
> > ******A* Seq: 0x335   Ack: 0x0   Win: 0x578
> > 00 00 00 00 00 00                                ......
> >
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/04-08:41:59.180237 205.128.11.157:53 -> z.y.w.98:53
> > TCP TTL:44 TOS:0x0 ID:37619
> > ******A* Seq: 0x336   Ack: 0x0   Win: 0x578
> > 00 00 00 00 00 00                                ......
> >
> >
> >
> >
> > --
> > Laurie
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 





More information about the Snort-users mailing list