[Snort-users] blocking nmap -P0 attack

N B snrlist at ...11827...
Mon Jan 10 04:44:07 EST 2005


dear all,

I'm using snort and snortsam in my organization to keep watch on all
network activity.
To block suspicious activity i have configure snortsam along with snort..
everythign is working fine ..

But i noticed that port scan attack plcaed with -P0 option are not
getting detected .

the rules what i'm using to block icmp packets with 0 payload are as below

alert icmp $EXTERNAL_NET  any  -> $HOME_NET any (msg:"0 byte 
ping";dsize:0; sid: 111111; fwsam: dst, 10 mins;)
#alert icmp $EXTERNAL_NET any  -> $HOME_NET any (msg:"0 byte 
ping";dsize:0; sid: 111111; fwsam: src, 10 mins;)
alert icmp any any -> $HOME_NET 1024: any (msg:"0 byte ICMP PING 
NMAP";dsize:0; sid: 111112; fwsam: src, 10 mins;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"0 byte icmp ping 
nmap";dsize:0; sid: 111113;  fwsam: src, 10 mins;)
alert tcp 192.168.x.y any -> any any (flags: A; ack: 0; msg:"0 byte NMAP 
TCP ping"; sid: 1235; fwsam: src, 12 mins;)
alert tcp 192.168.x.y any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP 
TCP ping"; sid: 1236; fwsam: src, 2 mins;)
alert icmp 192.168.x.y any -> $EXTERNAL_NET any (msg:"0 byte NMAP ICMP 
PING";dsize: 0; sid: 1414; fwsam: src, 12 mins;)
alert icmp 192.168.x.y any -> $HOME_NET any (msg:"0 NMAP ICMP 
ping";dsize:0; sid: 1415; fwsam: src, 12 mins;)
alert icmp 192.168.x.y any -> $EXTERNAL_NET any ( msg:"0 BYTE NMAP ICMP 
ping"; sid: 1416; fwsam: src, 12 mins;)

Pl help me out to detect that also .

With regards
linux admin




More information about the Snort-users mailing list