[Snort-users] AW: [Snort-users]nmap ack scans
mailinglists at ...1153...
Fri Apr 20 08:07:33 EDT 2001
> >I'm now running since several days Snort 1.7 with the
> >lastest ruleset.
> >Active Rulesets are:
> >Why are nmap ack scans not seen by snort?
> Hum ... you are running many rules (?)
Which rules would u use?
> Anyway if you want to catch a nmap Ping:
> alert any any -> MY_HOME any (flags: A; ack: 0; msg:
> "NMAP TCP ping";)
I'd be interested in identifying nmap os fingerprints with snort. I could
find out nmap os fingerprint test 1 - 3 but cannot get further because I
suspect Snort not to see ack scans. See my log:
Apr 20 13:21:59 184.108.40.206:53180 -> 220.127.116.11:22 SYN *2****S*
nmap test 1 is a tcp syn packet to an open Port.
Apr 20 13:21:59 18.104.22.168:53181 -> 22.214.171.124:22 NULL ********
nmap test 2 is a tcp null packet to an open port
Apr 20 13:21:59 126.96.36.199:53182 -> 188.8.131.52:22 NMAPID **U*P*SF
nmap test 3 sends a combination of urgent, push, syn und fin to an open port
where is snort's ack rule for nmap test 4 (tcp ack to an open port)?
Apr 20 13:21:59 184.108.40.206:53184 -> 220.127.116.11:1 SYN ******S*
This is nmap test 5 sending a syn to a closed port
where is snort's ack rule for nmap test 6 (tcp ack to a closed port)?
Apr 20 13:21:59 18.104.22.168:53186 -> 22.214.171.124:1 XMAS **U*P**F
nmap test 7 sending a tcp combination of urgent, push and fin to a closed
> Usually you will find it in the ICMP ruleset (alert
> ids 28)
More information about the Snort-users