[Snort-users] Snort and Random ACK Scans
fygrave at ...121...
Fri Aug 11 15:16:01 EDT 2000
~ :> I've got nmap installed via rpm: "nmap-2.53-1".
~ :Thanks Daniel. I downgraded to that version and was indeed able to
~ :reproduce the "0 Ack" issue you reported. But this characteristic doesn't
~ :exist in newer versions of Nmap (eg 2.54BETA2 -- see
~ :http://www.insecure.org/nmap/ ), so it probably should not be used as the
~ :Snort ACK scan detection mechanism. Ideally, Snort should detect a more
~ :fundamental aspect of the scan, such as a flurry of ACK packets which
~ :don't relate to any established connection.
Currently we don't perform any TCP stream reassembly but the plugin
module has already been written by mr. Cramer and its integration is
pending in our TODO list :)
More information about the Snort-users