-   Linux - Security (
-   -   How to detect nmap SYN scan w snort (

jmARC 06-09-2005 06:35 AM

How to detect nmap SYN scan w snort

I need a snort rule that detects nmap -sS scan, but not -sT scan.

Both scan sends SYN flag to stablish connection, so I don't know how to determine in this first step what kind of scan they are doing.

Any idea?



mattLSO 06-09-2005 11:09 AM

Im affraid that a connect scan sends a SYN packet, so I can see no way of not firing a SYN rules
for a connect scan, however this is a standard snort rule for a SYN scan.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)

The results of which(slightly edited for privacy)

Jun 9 12:05:27 200.*.235.*0:51202 -> MYHOST:22 SYN ******S*
Jun 9 12:05:27 200.*.235.*0:51210 -> MYHOST:22 SYN ******S*
Jun 9 12:05:28 200.*.235.*0:51221 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200*.235.*0:51226 -> MYHOST:22 SYN ******S*
Jun 9 12:05:29 200.*.235.*0:51231 -> MYHOST:22 SYN ******S*

If anyone knows of a way, I would be very interested too.


All times are GMT -5. The time now is 03:30 PM.