[Snort-users] AW: [Snort-users]nmap ack scans

Philipp Snizek mailinglists at ...1153...
Fri Apr 20 08:07:33 EDT 2001


> Hello,
>
> >I'm now running since several days Snort 1.7 with the
> >lastest ruleset.
> >Active Rulesets are:
> [SNIP]
> >Why are nmap ack scans not seen by snort?
>
> Hum ... you are running many rules (?)

Which rules would u use?

> Anyway if you want to catch a nmap Ping:
>
> alert any any -> MY_HOME any (flags: A; ack: 0; msg:
> "NMAP TCP ping";)

I'd be interested in identifying nmap os fingerprints with snort. I could
find out nmap os fingerprint test 1 - 3 but cannot get further because I
suspect Snort not to see ack scans. See my log:

Apr 20 13:21:59 212.232.168.184:53180 -> 212.232.168.180:22 SYN *2****S*
RESERVEDBITS

nmap test 1 is a tcp syn packet to an open Port.

Apr 20 13:21:59 212.232.168.184:53181 -> 212.232.168.180:22 NULL ********

nmap test 2 is a tcp null packet to an open port

Apr 20 13:21:59 212.232.168.184:53182 -> 212.232.168.180:22 NMAPID **U*P*SF

nmap test 3 sends a combination of urgent, push, syn und fin to an open port


where is snort's ack rule for nmap test 4  (tcp ack to an open port)?


Apr 20 13:21:59 212.232.168.184:53184 -> 212.232.168.180:1 SYN ******S*

This is nmap test 5 sending a syn to a closed port


where is snort's ack rule for nmap test 6  (tcp ack to a closed port)?


Apr 20 13:21:59 212.232.168.184:53186 -> 212.232.168.180:1 XMAS **U*P**F

nmap test 7 sending a tcp combination of urgent, push and fin to a closed
port


Philipp


> Usually you will find it in the ICMP ruleset (alert
> ids 28)
>
> regards,
> Jean-Philippe





More information about the Snort-users mailing list