[Snort-users] Snort and Random ACK Scans

Daniel van Balen vdaniel at ...191...
Sat Aug 12 01:49:23 EDT 2000

On Fri, Aug 11, 2000 at 02:35:49PM -0700, Fyodor wrote:
> On Fri, 11 Aug 2000, Daniel van Balen wrote:
> > I't seems like a dead giveaway
> > that someone is scaning you. The same seems to hapen with Syn scans. Should or
> > could a natural non-scan Syn packet have a ack field of anything but 0?
> Yeah.  The 2nd part of TCP connection establishment is SYN/ACK .

	Sorry, I meant only the first packet in a three-way handshake. What I
meant is that even if the ack field/number isn't necesary in the first packet of
a tcp connection (tcpdump doesn't even show it) it's still there and has a
value. When nmap does a Syn scan that value is never 0 while all the rest of the
first packets in a three way handshake I've seen have a ack field of 0. That
makes a nmap Syn scan a bit conspicuous. I could even make a snort rule that
alerted for each port scaned by a nmap Syn scan (if snorts "ack" rule option
accepted negation of numbers, which it doesn't):

alert tcp any any -> <any box> any (msg: "NMAP SYN SCAN PACKET!"; flags: S; ack:

	But since "ack:" only takes a number here's the same in tcpdump:

tcpdump -v -n "dst host <any box> and tcp[13] = 2 and tcp[8:4] != 0"

	I left the above tcpdump command running on a box with a decent amount
of trafic for a few hours and it only picked up nmap Syn scans and packets sent
using hping "hping2 -S <the box>".
	My point is that if the above filter picks up anything I can be quite
sure someone is fooling around. And no matter how slowly they do it I can pick
out every packet of a nmap Syn scan with very few (if any) false positives.

	Hope this makes my question clearer...


More information about the Snort-users mailing list