How to detect nmap SYN scan w snort
I need a snort rule that detects nmap -sS scan, but not -sT scan.
Both scan sends SYN flag to stablish connection, so I don't know how to determine in this first step what kind of scan they are doing.
Im affraid that a connect scan sends a SYN packet, so I can see no way of not firing a SYN rules
for a connect scan, however this is a standard snort rule for a SYN scan.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)
The results of which(slightly edited for privacy)
Jun 9 12:05:27 200.*.235.*0:51202 -> MYHOST:22 SYN ******S*
Jun 9 12:05:27 200.*.235.*0:51210 -> MYHOST:22 SYN ******S*
Jun 9 12:05:28 200.*.235.*0:51221 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200*.235.*0:51226 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200.*.235.*0:51231 -> MYHOST:22 SYN ******S*
If anyone knows of a way, I would be very interested too.
|All times are GMT -5. The time now is 11:58 PM.|