No subject


Thu Nov 23 16:36:19 EST 2017


> Laurie,
> The newer rulesets have an updated rule for this alert.  (Credits to Max
> Vision on the update)
> alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS28 - PING NMAP
> TCP";flags:A;ack:0;)
> Thanks.
> 
> Jim Forster
> Network Administrator
> RapidNet / DakotaConnect
> 
> When I'm feeling down, I like to whistle.
> It makes the neighbor's dog run to the end of his chain and gag himself.
> 
> ----- Original Message -----
> From: "Laurie Zirkle" <lat at ...214...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Friday, August 04, 2000 9:57 AM
> Subject: [Snort-users] False PING NMAP TCP
> 
> 
> > I'm starting to see more false alerts from the PINP NMAP TCP alert
> > from the rules at www.snort.org.  In particular, load-balancing is
> > being flagged as PING NMAP TCP.  Any chance of getting a better rule
> > for this?  Here's one example:
> >
> > Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP:
> 205.128.11.157:80 -> z.y.w.98:53
> > Aug  4 08:41:59 hostm snort[314]: IDS028 - PING NMAP TCP:
> 205.128.11.157:53 -> z.y.w.98:53
> > ------
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/04-08:41:59.180096 205.128.11.157:80 -> z.y.w.98:53
> > TCP TTL:44 TOS:0x0 ID:37618
> > ******A* Seq: 0x335   Ack: 0x0   Win: 0x578
> > 00 00 00 00 00 00                                ......
> >
> > [**] IDS028 - PING NMAP TCP [**]
> > 08/04-08:41:59.180237 205.128.11.157:53 -> z.y.w.98:53
> > TCP TTL:44 TOS:0x0 ID:37619
> > ******A* Seq: 0x336   Ack: 0x0   Win: 0x578
> > 00 00 00 00 00 00                                ......
> >
> >
> >
> >
> > --
> > Laurie
> >




More information about the Snort-users mailing list