[Snort-users] question ? -> (MISC Large ICMP Packet)
mkettler at ...4108...
Thu Jan 3 14:43:05 EST 2002
Well.. this "stealth" mode of nmap is not *that* stealthy, ie: it does
genuinely start the connection process, and all of the packets generated by
this scan are completely legal and occur in normal traffic. For that matter
snort won't log a -sT connect() scan of a single port either, unless spade
calls it anomalous in which case either scan would be logged. These kinds
of scans, and super-slow port scans are why the spade preprocessor exists
in the first place.
The NMAP "syn" scan generates a 100% normal, genuine syn packet to initiate
a connection, but instead of acking the syn-ack packet that comes back, it
sends a RST instead. This behavior is also what will happen if a machine
tries to open a connection but times out before a syn-ack is generated or
if some bizarre failure kills the connecting process on the originating side.
I believe (but could be wrong) that the only way to detect these scans
would be a stateful inspection of the stream. You would need to detect a
syn, followed promptly by a syn-ack, followed promptly by a rst packet. And
even that might false like crazy on real-world traffic, I'm not sure how
common it is for a process to fault while in the middle of a connection.
However, if you are filtering port 5000, no syn-ack will be generated, no
rst will be sent, thus nothing abnormal at all happens that snort could
detect (except spade). That said snort does not detect this kind of scan as
stealth activity even with stream4's detect_state_problems feature enabled
and even if the port is an unfiltered port. Spade picks up the packets
going to unusual ports, like 5000, but not -sS against a webserver's port
80, for example.
(p.s. I'm using snort 1.8.2 with spade enabled if it matters to anyone).
Also if the scan was directed at a port range the port scan preprocessor
would likely catch it.
At 01:07 PM 12/30/2001 -0500, cdowns wrote:
> Out of curiosity I decided to check my network for port 5000 tcp.
> Just for the hell of it and to see how Snort will react to someone
> snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell.
> here I used a really basic NMAP Stealth Syn scan and here is the reply in
> the /var/log/snort/alert:
>blasphemy# nmap -sS -p 5000 126.96.36.199/27
>Obviously I deny all Traffic to these high ports but stumped to the
>output. Can anyone explain why Snort does not see a NMAP Syn scan or does
>stealth mode actually work ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users