[Snort-users] Snort and Random ACK Scans
Daniel van Balen
vdaniel at ...191...
Thu Aug 10 11:32:39 EDT 2000
On Wed, Aug 02, 2000 at 10:38:46AM -0700, Brent Erickson wrote:
> I am fairly new to Snort. I have run it on Linux and have been running it for 3 weeks on Windows NT. On Windows I am still running version 1.6 but with the latest 0727k rules, the backdoor rules, the vision rules and the scan-lib rules.
> Will Snort alert on random ACK scans ?? I have tried running NMAP in the mode:
> nmap -v -sA -PO -p6000-62000 target
> Snort does not alert, Snort however does catch and alert on the FIN and XMAS scans.
I checked this out and it seems very interesting! As far as I can tell
snort does NOT detect ACK scans. But I don't have the lattest version of snort
either (maybe the lattest portscan preprocessor now detects ACK scans?).
But i't seems like there's a bug in nmap:
Acording to the nmap man page:
-sA ACK scan: This advanced method is usually used to
map out firewall rulesets. In particular, it can
help determine whether a firewall is stateful or
just a simple packet filter that blocks incoming
This scan type sends an ACK packet (with random
looking acknowledgement/sequence numbers) to the
ports specified. If a RST comes back, the ports is
classified as "unfiltered". If nothing comes back
(or if an ICMP unreachable is returned), the port
is classified as "filtered". Note that nmap usu
ally doesn't print "unfiltered" ports, so getting
no ports shown in the output is usually a sign that
all the probes got through (and returned RSTs).
This scan will obviously never show ports in the
But there seems to be a bug in nmap... If you don't give it the "-v"
option, nmap will send ACK packets with random looking sequence numbers but
*with ack=0* which will be detected by the "NMAP TCP PING" rule. Is the Fyodor
on this list the nmap Fyodor?
BTW I don't think it would be too hard to implement ACK scan detection
in the portscan preprocessor (please correct me if I'm wrong): Proceed as normal
but instead of looking for connection attempts (or Syn packets), look for ACK
packets to a bunch of ports all with *THE SAME* (random looking)
acknoledgement, sequence and (methinks) window values.
> I have studied several of the rule sets and it seems like Snort would catch the ack scans.
Which rule(s) are you refering to?
> I am doing something wrong?
Probably not... :-)
More information about the Snort-users