Re: ACK Scans

[Triple Crown <triplecrown () optonline net>]

Philippe Biondi wrote:

> On Fri, 23 May 2003, Triple Crown wrote:
>
>  
>
> > I'm researching some snort archived files from last year and have keyed on
> > some detects triggered by this snort rule:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap
> > TCP";flags:A;ack:0;
> > reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)
> >
> > I've tried to reproduce the scan with nmap of sending a lone ACK flag
> > with an acknowlegement  number of 0 without any success.
> >
> > A google search lead me to this:
> > http://archives.neohapsis.com/archives/snort/2000-08/0163.html
> >
> > Apparently there was a bug in an older version of nmap that would
> > produce this type of
> > scan. The date on the posts from the above URL suggest that the bug
> > existed a few
> > years back.
> >
> > Does anyone know if it is possible to reproduce this scan with nmap
> > without the older
> > version ? All of my testing with -PT or -sA resulted in what appears to
> > be random
> > ACK numbers
> >
> > On a side note -
> > It may just be my ignorance of using the -PT  flag properly but I found
> > you can't do
> > a -PT80 as suggested in the man pages to scan port 80, but by adding
> > -p80 it
> > works properly.
> >
> > Any help is appreciated.....
> >    
>
> Use tcpdump to know exactly what are the sent packets and if they matrch
> your expectations.
>
>  
I've been using tcpdump and I have not found it possible to send an ack 0
with nmap. I don't think the snort rule is of much value for nmap. I 
have a good idea
of why the alert was triggered but have a little more research to do.

thx


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).