[Snort-users] Snort and Random ACK Scans

Fyodor fyodor at ...306...
Thu Aug 10 20:30:35 EDT 2000


On Thu, 10 Aug 2000, Daniel van Balen wrote:

> 	But there seems to be a bug in nmap... If you don't give it the "-v"
> option, nmap will send ACK packets with random looking sequence numbers but
> *with ack=0* which will be detected by the "NMAP TCP PING" rule.

I cannot reproduce this.  What version of Nmap are you using?

I just tried 'nmap -P0 -sA -p22-25 -n 192.168.0.4' and watched the output
of 'tcpdump -v -n "dst host 192.168.0.4"':

17:06:01.739955 > 192.168.0.2.50203 > 192.168.0.4.smtp: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 17261)
17:06:01.742433 > 192.168.0.2.50203 > 192.168.0.4.24: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 33535)
17:06:01.742752 > 192.168.0.2.50203 > 192.168.0.4.telnet: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55, id 3959)
17:06:01.742919 > 192.168.0.2.50203 > 192.168.0.4.ssh: . 4283982709:4283982709(0) ack 46607227 win 4096 (ttl 55,  id 28647)

I don't see any zero ACKs.  If you can reproduce the zero ACKs, please
send me more information (Nmap version, command line used, preferably a
tcpdump trace, etc).

> Is the Fyodor
> on this list the nmap Fyodor?

No, but that is a very common point of confusion.  I get SnortNet mail all
the time and he gets Nmap mail :).  I am not a Snort developer (or user),
but I think the project has the potential to grow into a serious IDS that
can be used securely and effectively in production environments.  I know
many great people who are working on it.

Cheers,
Fyodor

--
Fyodor                            'finger pgp at ...307... | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"The percentage of users running Windows NT Workstation 4.0 whose PCs
 stopped working more than once a month was less than half that of Windows 
 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp





More information about the Snort-users mailing list