[Snort-users] nmap TCP ping

Daniel van Balen vdaniel at ...191...
Fri Aug 25 07:02:02 EDT 2000


On Fri, Aug 25, 2000 at 01:49:57PM +0200, Jan Muenther wrote:
> Hmm...
> I found these in my logs. 
> 
> [**] ICMP Destination Unreachable [**]
> 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 195.54.105.6
> ICMP TTL:64 TOS:0xC0 ID:4462 
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 
> [**] IDS028 - PING NMAP TCP [**]
> 08/25-12:51:53.245934 195.54.105.6:80 -> xx.xxx.xxx.xxx:2347
> TCP TTL:38 TOS:0x0 ID:10650 
> ******A* Seq: 0x362   Ack: 0x0   Win: 0x578
> 
> Am I right in guessing these two _together_ make a typical nmap
> -sP ping thing (snort-wise)?

	Well... not exactly. The first packet (icmp port unreachable) is
usualy a response to a udp packet to a non-open port. The default nmap ping
is a "icmp echo request" followed by a tcp ack to port 80.

> >From my own nmap experience and the manpage I interpreted the TCP
> ping scan option as a single TCP packet with the ACK flag set
> _from_ port 80, not directed at it... so how come? 

	I guess because some firewalls would see it as web trafic and let
it through... see the "-g" option in the nmap man page. The second packet
looks like part of a ACK scan from nmap 2.53 (and probably previous
versions) but you should see a lot more packets (and snort alerts) like it
to diferent ports, unless the atacker (supposing you are under atack) is
only interested in port 2347 TCP. I don't know anything interesting that
listens on that port by default...



-spiff


	



More information about the Snort-users mailing list