[Snort-users] Snort and Random ACK Scans

Fyodor fygrave at ...121...
Fri Aug 11 15:16:01 EDT 2000


~ :> 	I've got nmap installed via rpm: "nmap-2.53-1".
~ :
~ :Thanks Daniel.  I downgraded to that version and was indeed able to
~ :reproduce the "0 Ack" issue you reported.  But this characteristic doesn't
~ :exist in newer versions of Nmap (eg 2.54BETA2 -- see
~ :http://www.insecure.org/nmap/ ), so it probably should not be used as the
~ :Snort ACK scan detection mechanism.  Ideally, Snort should detect a more
~ :fundamental aspect of the scan, such as a flurry of ACK packets which
~ :don't relate to any established connection.
~ :

 Currently we don't perform any TCP stream reassembly but the plugin
module has already been written by mr. Cramer and its integration is
pending in our TODO list :)







More information about the Snort-users mailing list