[Snort-users] AW: [Snort-users]nmap ack scans

Philipp Snizek mailinglists at ...1153...
Fri Apr 20 08:07:33 EDT 2001

> Hello,
> >I'm now running since several days Snort 1.7 with the
> >lastest ruleset.
> >Active Rulesets are:
> [SNIP]
> >Why are nmap ack scans not seen by snort?
> Hum ... you are running many rules (?)

Which rules would u use?

> Anyway if you want to catch a nmap Ping:
> alert any any -> MY_HOME any (flags: A; ack: 0; msg:
> "NMAP TCP ping";)

I'd be interested in identifying nmap os fingerprints with snort. I could
find out nmap os fingerprint test 1 - 3 but cannot get further because I
suspect Snort not to see ack scans. See my log:

Apr 20 13:21:59 -> SYN *2****S*

nmap test 1 is a tcp syn packet to an open Port.

Apr 20 13:21:59 -> NULL ********

nmap test 2 is a tcp null packet to an open port

Apr 20 13:21:59 -> NMAPID **U*P*SF

nmap test 3 sends a combination of urgent, push, syn und fin to an open port

where is snort's ack rule for nmap test 4  (tcp ack to an open port)?

Apr 20 13:21:59 -> SYN ******S*

This is nmap test 5 sending a syn to a closed port

where is snort's ack rule for nmap test 6  (tcp ack to a closed port)?

Apr 20 13:21:59 -> XMAS **U*P**F

nmap test 7 sending a tcp combination of urgent, push and fin to a closed


> Usually you will find it in the ICMP ruleset (alert
> ids 28)
> regards,
> Jean-Philippe

More information about the Snort-users mailing list