[Snort-users] Snort and Random ACK Scans
fyodor at ...306...
Sat Aug 12 15:10:26 EDT 2000
On Sat, 12 Aug 2000, Daniel van Balen wrote:
> But since "ack:" only takes a number here's the same in tcpdump:
> USE THIS INSTEAD
> tcpdump -v -n "dst host <any box> and tcp = 2 and tcp[8:4] != 0"
> I left the above tcpdump command running on a box with a decent amount
> of trafic for a few hours and it only picked up nmap Syn scans and packets sent
> using hping "hping2 -S <the box>".
I don't think RFC793 requires the ACK field to be 0 in this case. But
I guess it would make Nmap less conspicuouss. So I have made your
suggested change for the next version. Its just a matter of adding:
if (scantype != SYN_SCAN)
ack_number = get_random_uint();
As for the ack_number staying constant throughout the scan of a particular
machine, that is purely for performance reasons. Random numbers are
expensive on some platforms. Of course a pseudo-random stream could be
used but it may not be worth the trouble -- programatically watching for
patterns if ACKs with the same ACK field is a poor way to identify such a
scan and it is not even much easier than some more reliable methods.
More information about the Snort-users