On Fri, 20 Apr 2001, Philipp Snizek wrote:
Dear list-users,
I suspect Snort 1.7 not to see nmap ack scans. But I'm not sure about that.
These are the snort rules I run (pretty much, I know): This is known problem AFAIK. When I tried snort, it used the flags PUSH+ACK (PA in rulefile), so it would miss ACK. (OS' TCP-stack would generate PA). Snort also misses PUSH scan (at least when I tried). But meanwhile there should be some newer version :)
Sebastian
#include local.rules include /snortrules/exploit.rules include /snortrules/scan.rules include /snortrules/finger.rules include /snortrules/ftp.rules include /snortrules/telnet.rules include /snortrules/smtp.rules include /snortrules/rpc.rules include /snortrules/rservices.rules include /snortrules/backdoor.rules include /snortrules/dos.rules include /snortrules/ddos.rules #include dns.rules #include netbios.rules #include sql.rules include /snortrules/web-cgi.rules include /snortrules/web-coldfusion.rules include /snortrules/web-frontpage.rules include /snortrules/web-misc.rules include /snortrules/web-iis.rules include /snortrules/icmp.rules include /snortrules/misc.rules #include policy.rules #include info.rules #include virus.rules
This is the test I've been doing:
I'd be interested in identifying nmap os fingerprints with snort. I could find out nmap os fingerprint test 1 - 7 but cannot get further with nmap test 4 and 6:
Apr 20 13:21:59 212.232.168.184:53180 -> 212.232.168.180:22 SYN *2****S* RESERVEDBITS
nmap test 1 is a tcp syn packet to an open Port.
Apr 20 13:21:59 212.232.168.184:53181 -> 212.232.168.180:22 NULL ********
nmap test 2 is a tcp null packet to an open port
Apr 20 13:21:59 212.232.168.184:53182 -> 212.232.168.180:22 NMAPID **U*P*SF
nmap test 3 sends a combination of urgent, push, syn und fin to an open port
where is snort's ack rule for nmap test 4 (tcp ack to an open port)?
Apr 20 13:21:59 212.232.168.184:53184 -> 212.232.168.180:1 SYN ******S*
This is nmap test 5 sending a syn to a closed port
where is snort's ack rule for nmap test 6 (tcp ack to a closed port)?
Apr 20 13:21:59 212.232.168.184:53186 -> 212.232.168.180:1 XMAS **U*P**F
nmap test 7 sending a tcp combination of urgent, push and fin to a closed port
I hope somebody of you has got an answer on how to make Snort see ack scans.
Thanx Philipp
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~