[Snort-users] nmap TCP ping
Daniel van Balen
vdaniel at ...191...
Mon Aug 28 03:01:46 EDT 2000
On Mon, Aug 28, 2000 at 11:12:34AM +0200, Jan Muenther wrote:
> > > [**] ICMP Destination Unreachable [**]
> > > 08/25-12:51:53.239562 xx.xxx.xxx.xxx -> 126.96.36.199
> > > ICMP TTL:64 TOS:0xC0 ID:4462
> > > DESTINATION UNREACHABLE: PORT UNREACHABLE
> > >
> > > [**] IDS028 - PING NMAP TCP [**]
> > > 08/25-12:51:53.245934 188.8.131.52:80 -> xx.xxx.xxx.xxx:2347
> > > TCP TTL:38 TOS:0x0 ID:10650
> > > ******A* Seq: 0x362 Ack: 0x0 Win: 0x578
> on my local net trying to send UDP packets to diverse hosts... I
> hope it's not you-know-what...
I wouldn't know but the "port unreachable" response hopefully means
they didn't find anything. BTW if I remember correctly the body of the icmp
packet should have the udp packet that triggerd it.
> > I guess because some firewalls would see it as web trafic and let
> > it through... see the "-g" option in the nmap man page.
> The first packet? Why should any ICMP traffic be interpreted as
> web traffic?
I was talking about the second packet...
> The second packet
> > looks like part of a ACK scan from nmap 2.53 (and probably previous
> > versions) but you should see a lot more packets (and snort alerts) like it
> > to diferent ports, unless the atacker (supposing you are under atack) is
> > only interested in port 2347 TCP. I don't know anything interesting that
> > listens on that port by default...
> Well, neither do I... btw, it seems to be the only one, so I
> would tend to interpret it as a stray packet... don't you...?
Having no more evidence I would guess so...
More information about the Snort-users