[Snort-users] Snort and Random ACK Scans
fyodor at ...306...
Thu Aug 10 20:30:35 EDT 2000
On Thu, 10 Aug 2000, Daniel van Balen wrote:
> But there seems to be a bug in nmap... If you don't give it the "-v"
> option, nmap will send ACK packets with random looking sequence numbers but
> *with ack=0* which will be detected by the "NMAP TCP PING" rule.
I cannot reproduce this. What version of Nmap are you using?
I just tried 'nmap -P0 -sA -p22-25 -n 192.168.0.4' and watched the output
of 'tcpdump -v -n "dst host 192.168.0.4"':
17:06:01.739955 > 192.168.0.2.50203 > 192.168.0.4.smtp: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 17261)
17:06:01.742433 > 192.168.0.2.50203 > 192.168.0.4.24: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 33535)
17:06:01.742752 > 192.168.0.2.50203 > 192.168.0.4.telnet: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 3959)
17:06:01.742919 > 192.168.0.2.50203 > 192.168.0.4.ssh: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 28647)
I don't see any zero ACKs. If you can reproduce the zero ACKs, please
send me more information (Nmap version, command line used, preferably a
tcpdump trace, etc).
> Is the Fyodor
> on this list the nmap Fyodor?
No, but that is a very common point of confusion. I get SnortNet mail all
the time and he gets Nmap mail :). I am not a Snort developer (or user),
but I think the project has the potential to grow into a serious IDS that
can be used securely and effectively in production environments. I know
many great people who are working on it.
Fyodor 'finger pgp at ...307... | pgp -fka'
Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/
"The percentage of users running Windows NT Workstation 4.0 whose PCs
stopped working more than once a month was less than half that of Windows
95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp
More information about the Snort-users