[Snort-users] Snort and Random ACK Scans

Daniel van Balen vdaniel at ...191...
Fri Aug 11 09:23:25 EDT 2000


On Fri, Aug 11, 2000 at 12:15:41PM -0700, Fyodor wrote:
> On Fri, 11 Aug 2000, Daniel van Balen wrote:
> 
> > 	I've got nmap installed via rpm: "nmap-2.53-1".
> 
> Thanks Daniel.  I downgraded to that version and was indeed able to
> reproduce the "0 Ack" issue you reported.  But this characteristic doesn't
> exist in newer versions of Nmap (eg 2.54BETA2 -- see
> http://www.insecure.org/nmap/ ), so it probably should not be used as the
> Snort ACK scan detection mechanism.  Ideally, Snort should detect a more
> fundamental aspect of the scan, such as a flurry of ACK packets which
> don't relate to any established connection.
> 

	Thanks nmap Fyodor :-) ,I tried using 2.54BETA2 and got all ack!=0. As I
mentioned in my first mail to this thread I don't think snort currently has a
method of detecting ACK scans, the bug in nmap 2.53 tripped snorts "NMAP TCP
PING" rule which I think should be updated to "OLD NMAP - TCP PING" because even
with the bug nmaps tcp ping didn't have the ack field set to zero. I heartily
agree with you on the best way of detecting ACK scans.
	BTW after staring at a few tcpdump and snort dumps of nmap ACK scans I
have a question about nmaps scaning: How come all the ack packets sent out as
part of the scan (not including the tcp ping) have exactly the same ack, window
and sequence number (with ack != win != seq)? I't seems like a dead giveaway
that someone is scaning you. The same seems to hapen with Syn scans. Should or
could a natural non-scan Syn packet have a ack field of anything but 0? XMAS
scans have zero ack and seq but a random window (per scan). Fyn scans have the
same ack/win/seq behavior as XMAS scans.  

Thanks

-spiff




More information about the Snort-users mailing list