[Snort-users] question ? -> (MISC Large ICMP Packet)

Matt Kettler mkettler at ...4108...
Thu Jan 3 14:43:05 EST 2002

Well.. this "stealth" mode of nmap is not *that* stealthy, ie: it does 
genuinely start the connection process, and all of the packets generated by 
this scan are completely legal and occur in normal traffic. For that matter 
snort won't log a -sT connect() scan of a single port either, unless spade 
calls it anomalous in which case either scan would be logged. These kinds 
of scans, and super-slow port scans are why the spade preprocessor exists 
in the first place.

The NMAP "syn" scan generates a 100% normal, genuine syn packet to initiate 
a connection, but instead of acking the syn-ack packet that comes back, it 
sends a RST instead. This behavior is also what will happen if a machine 
tries to open a connection but times out before a syn-ack is generated or 
if some bizarre failure kills the connecting process on the originating side.

I believe (but could be wrong) that the only way to detect these scans 
would be a stateful inspection of the stream. You would need to detect a 
syn, followed promptly by a syn-ack, followed promptly by a rst packet. And 
even that might false like crazy on real-world traffic, I'm not sure how 
common it is for a process to fault while in the middle of a connection.

However, if you are filtering port 5000, no syn-ack will be generated, no 
rst will be sent, thus nothing abnormal at all happens that snort could 
detect (except spade). That said snort does not detect this kind of scan as 
stealth activity even with stream4's detect_state_problems feature enabled 
and even if the port is an unfiltered port. Spade picks up the packets 
going to unusual ports, like 5000, but not -sS against a webserver's port 
80, for example.

(p.s. I'm using snort 1.8.2 with spade enabled if it matters to anyone).

Also if the scan was directed at a port range the port scan preprocessor 
would likely catch it.

At 01:07 PM 12/30/2001 -0500, cdowns wrote:
>Morning All,
>     Out of curiosity I decided to check my network for port 5000 tcp. 
> Just for the hell of it and to see how Snort will react to someone 
> snooping for the new Xsploit.c  tcp 5000 windows ME/XP remote DOS/Shell. 
> here I used a really basic NMAP Stealth Syn scan and here is the reply in 
> the /var/log/snort/alert:
>blasphemy# nmap -sS -p 5000
>Obviously I deny all Traffic to these high ports but stumped to the 
>output. Can anyone explain why Snort does not see a NMAP Syn  scan or does 
>stealth mode actually work ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020103/7b02c5c4/attachment.html>

More information about the Snort-users mailing list