Dear list-users, I suspect Snort 1.7 not to see nmap ack scans. But I'm not sure about that. These are the snort rules I run (pretty much, I know): #include local.rules include /snortrules/exploit.rules include /snortrules/scan.rules include /snortrules/finger.rules include /snortrules/ftp.rules include /snortrules/telnet.rules include /snortrules/smtp.rules include /snortrules/rpc.rules include /snortrules/rservices.rules include /snortrules/backdoor.rules include /snortrules/dos.rules include /snortrules/ddos.rules #include dns.rules #include netbios.rules #include sql.rules include /snortrules/web-cgi.rules include /snortrules/web-coldfusion.rules include /snortrules/web-frontpage.rules include /snortrules/web-misc.rules include /snortrules/web-iis.rules include /snortrules/icmp.rules include /snortrules/misc.rules #include policy.rules #include info.rules #include virus.rules This is the test I've been doing: I'd be interested in identifying nmap os fingerprints with snort. I could find out nmap os fingerprint test 1 - 7 but cannot get further with nmap test 4 and 6: Apr 20 13:21:59 212.232.168.184:53180 -> 212.232.168.180:22 SYN *2****S* RESERVEDBITS nmap test 1 is a tcp syn packet to an open Port. Apr 20 13:21:59 212.232.168.184:53181 -> 212.232.168.180:22 NULL ******** nmap test 2 is a tcp null packet to an open port Apr 20 13:21:59 212.232.168.184:53182 -> 212.232.168.180:22 NMAPID **U*P*SF nmap test 3 sends a combination of urgent, push, syn und fin to an open port where is snort's ack rule for nmap test 4 (tcp ack to an open port)? Apr 20 13:21:59 212.232.168.184:53184 -> 212.232.168.180:1 SYN ******S* This is nmap test 5 sending a syn to a closed port where is snort's ack rule for nmap test 6 (tcp ack to a closed port)? Apr 20 13:21:59 212.232.168.184:53186 -> 212.232.168.180:1 XMAS **U*P**F nmap test 7 sending a tcp combination of urgent, push and fin to a closed port I hope somebody of you has got an answer on how to make Snort see ack scans. Thanx Philipp