[Snort-users] Snort and Random ACK Scans

Fyodor fyodor at ...306...
Fri Aug 11 15:15:41 EDT 2000


On Fri, 11 Aug 2000, Daniel van Balen wrote:

> 	I've got nmap installed via rpm: "nmap-2.53-1".

Thanks Daniel.  I downgraded to that version and was indeed able to
reproduce the "0 Ack" issue you reported.  But this characteristic doesn't
exist in newer versions of Nmap (eg 2.54BETA2 -- see
http://www.insecure.org/nmap/ ), so it probably should not be used as the
Snort ACK scan detection mechanism.  Ideally, Snort should detect a more
fundamental aspect of the scan, such as a flurry of ACK packets which
don't relate to any established connection.

Cheers,
Fyodor





More information about the Snort-users mailing list