[Snort-users] nmap TCP ping
jan at ...206...
Mon Aug 28 05:12:34 EDT 2000
thanks for your reply.
> > [**] ICMP Destination Unreachable [**]
> > 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 22.214.171.124
> > ICMP TTL:64 TOS:0xC0 ID:4462
> > DESTINATION UNREACHABLE: PORT UNREACHABLE
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/25-12:51:53.245934 126.96.36.199:80 -> xx.xxx.xxx.xxx:2347
> > TCP TTL:38 TOS:0x0 ID:10650
> > ******A* Seq: 0x362 Ack: 0x0 Win: 0x578
> Well... not exactly. The first packet (icmp port unreachable) is
> usualy a response to a udp packet to a non-open port. The default nmap ping
> is a "icmp echo request" followed by a tcp ack to port 80.
Right, that's what it looked like. I DO get these types of alerts
quite often - which troubles me, since I can't think of anything
on my local net trying to send UDP packets to diverse hosts... I
hope it's not you-know-what...
> I guess because some firewalls would see it as web trafic and let
> it through... see the "-g" option in the nmap man page.
The first packet? Why should any ICMP traffic be interpreted as
The second packet
> looks like part of a ACK scan from nmap 2.53 (and probably previous
> versions) but you should see a lot more packets (and snort alerts) like it
> to diferent ports, unless the atacker (supposing you are under atack) is
> only interested in port 2347 TCP. I don't know anything interesting that
> listens on that port by default...
Well, neither do I... btw, it seems to be the only one, so I
would tend to interpret it as a stray packet... don't you...?
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...
More information about the Snort-users