[Snort-users] Snort and Random ACK Scans
fyodor at ...306...
Fri Aug 11 15:15:41 EDT 2000
On Fri, 11 Aug 2000, Daniel van Balen wrote:
> I've got nmap installed via rpm: "nmap-2.53-1".
Thanks Daniel. I downgraded to that version and was indeed able to
reproduce the "0 Ack" issue you reported. But this characteristic doesn't
exist in newer versions of Nmap (eg 2.54BETA2 -- see
http://www.insecure.org/nmap/ ), so it probably should not be used as the
Snort ACK scan detection mechanism. Ideally, Snort should detect a more
fundamental aspect of the scan, such as a flurry of ACK packets which
don't relate to any established connection.
More information about the Snort-users