[Snort-users] nmap TCP ping
Daniel van Balen
vdaniel at ...191...
Fri Aug 25 07:02:02 EDT 2000
On Fri, Aug 25, 2000 at 01:49:57PM +0200, Jan Muenther wrote:
> I found these in my logs.
> [**] ICMP Destination Unreachable [**]
> 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 22.214.171.124
> ICMP TTL:64 TOS:0xC0 ID:4462
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> [**] IDS028 - PING NMAP TCP [**]
> 08/25-12:51:53.245934 126.96.36.199:80 -> xx.xxx.xxx.xxx:2347
> TCP TTL:38 TOS:0x0 ID:10650
> ******A* Seq: 0x362 Ack: 0x0 Win: 0x578
> Am I right in guessing these two _together_ make a typical nmap
> -sP ping thing (snort-wise)?
Well... not exactly. The first packet (icmp port unreachable) is
usualy a response to a udp packet to a non-open port. The default nmap ping
is a "icmp echo request" followed by a tcp ack to port 80.
> >From my own nmap experience and the manpage I interpreted the TCP
> ping scan option as a single TCP packet with the ACK flag set
> _from_ port 80, not directed at it... so how come?
I guess because some firewalls would see it as web trafic and let
it through... see the "-g" option in the nmap man page. The second packet
looks like part of a ACK scan from nmap 2.53 (and probably previous
versions) but you should see a lot more packets (and snort alerts) like it
to diferent ports, unless the atacker (supposing you are under atack) is
only interested in port 2347 TCP. I don't know anything interesting that
listens on that port by default...
More information about the Snort-users