[Snort-users] Snort and Random ACK Scans

Fyodor fyodor at ...306...
Sat Aug 12 15:10:26 EDT 2000


On Sat, 12 Aug 2000, Daniel van Balen wrote:

> 	But since "ack:" only takes a number here's the same in tcpdump:
> 
> USE THIS INSTEAD
> tcpdump -v -n "dst host <any box> and tcp[13] = 2 and tcp[8:4] != 0"
> 
> 	I left the above tcpdump command running on a box with a decent amount
> of trafic for a few hours and it only picked up nmap Syn scans and packets sent
> using hping "hping2 -S <the box>".

I don't think RFC793 requires the ACK field to be 0 in this case.  But
I guess it would make Nmap less conspicuouss.  So I have made your
suggested change for the next version.  Its just a matter of adding:

if (scantype != SYN_SCAN)

before 

  ack_number = get_random_uint();


Good find.

As for the ack_number staying constant throughout the scan of a particular
machine, that is purely for performance reasons.  Random numbers are
expensive on some platforms.  Of course a pseudo-random stream could be
used but it may not be worth the trouble -- programatically watching for
patterns if ACKs with the same ACK field is a poor way to identify such a
scan and it is not even much easier than some more reliable methods.

Cheers,
Fyodor





More information about the Snort-users mailing list