LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to detect nmap SYN scan w snort (http://www.linuxquestions.org/questions/linux-security-4/how-to-detect-nmap-syn-scan-w-snort-331817/)

jmARC 06-09-2005 06:35 AM

How to detect nmap SYN scan w snort
 
Hi.

I need a snort rule that detects nmap -sS scan, but not -sT scan.

Both scan sends SYN flag to stablish connection, so I don't know how to determine in this first step what kind of scan they are doing.

Any idea?

TIA.

jmARC

mattLSO 06-09-2005 11:09 AM

Im affraid that a connect scan sends a SYN packet, so I can see no way of not firing a SYN rules
for a connect scan, however this is a standard snort rule for a SYN scan.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)

The results of which(slightly edited for privacy)

Jun 9 12:05:27 200.*.235.*0:51202 -> MYHOST:22 SYN ******S*
Jun 9 12:05:27 200.*.235.*0:51210 -> MYHOST:22 SYN ******S*
Jun 9 12:05:28 200.*.235.*0:51221 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200*.235.*0:51226 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200.*.235.*0:51231 -> MYHOST:22 SYN ******S*

If anyone knows of a way, I would be very interested too.

Regards


All times are GMT -5. The time now is 11:24 PM.