[Snort-users] nmap tcp connect scan prevention

wkitty42 at ...14940... wkitty42 at ...14940...
Sat Sep 21 12:17:51 EDT 2013


On Saturday, September 21, 2013 8:02 AM, Meysam Farazmand <farazmand.meisam at ...11827...> wrote: 
> i need a rule to prevent nmap tcp connect scan (-sT option).anybody know about this?

have you done any testing and caught any packets with a tool like tcpdump? packet captures (aka pcaps) will give you a lot of information for creating your rules...

FWIW: there are numerous nmap related rules in the emergingthreats rules sets but none of them specifically state that they are for -sT (connection scanning)...

is there only one connect attempt and then nothing more? perhaps you can detect connections with no other traffic in X amount of time... perhaps even multiple connections on multiple ports from the same ip within X amount of time...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130921/cd706c66/attachment.html>


More information about the Snort-users mailing list