[Snort-users] Snort and Random ACK Scans

Daniel van Balen vdaniel at ...191...
Thu Aug 10 11:32:39 EDT 2000

On Wed, Aug 02, 2000 at 10:38:46AM -0700, Brent Erickson wrote:
> I am fairly new to Snort. I have run it on Linux and have been running it for 3 weeks on Windows NT. On Windows I am still running version 1.6 but with the latest 0727k rules, the backdoor rules, the vision rules and the scan-lib rules.
> Will Snort alert on random ACK scans ?? I have tried running NMAP in the mode:
> nmap -v -sA -PO -p6000-62000 target
> Snort does not alert, Snort however does catch and alert on the FIN and XMAS scans.

	I checked this out and it seems very interesting! As far as I can tell
snort does NOT detect ACK scans. But I don't have the lattest version of snort
either (maybe the lattest portscan preprocessor now detects ACK scans?).
	But i't seems like there's a bug in nmap:
	Acording to the nmap man page:

       -sA    ACK scan: This advanced method is usually  used  to
              map  out  firewall rulesets.  In particular, it can
              help determine whether a firewall  is  stateful  or
              just  a  simple  packet filter that blocks incoming
              SYN packets.

              This scan type sends an  ACK  packet  (with  random
              looking  acknowledgement/sequence  numbers)  to the
              ports specified.  If a RST comes back, the ports is
              classified  as "unfiltered".  If nothing comes back
              (or if an ICMP unreachable is returned),  the  port
              is  classified  as "filtered".  Note that nmap usu­
              ally doesn't print "unfiltered" ports,  so  getting
              no ports shown in the output is usually a sign that
              all the probes got  through  (and  returned  RSTs).
              This  scan  will  obviously never show ports in the
              "open" state.

	But there seems to be a bug in nmap... If you don't give it the "-v"
option, nmap will send ACK packets with random looking sequence numbers but
*with ack=0* which will be detected by the "NMAP TCP PING" rule. Is the Fyodor
on this list the nmap Fyodor?
	BTW I don't think it would be too hard to implement ACK scan detection
in the portscan preprocessor (please correct me if I'm wrong): Proceed as normal
but instead of looking for connection attempts (or Syn packets), look for ACK
packets to a bunch of ports all with *THE SAME* (random looking)
acknoledgement, sequence and (methinks) window values.

> I have studied several of the rule sets and it seems like Snort would catch the ack scans.

	Which rule(s) are you refering to?

> I am doing something wrong?

	Probably not... :-)


More information about the Snort-users mailing list