Snort mailing list archives
RE: snort rule to detect nmap portscan with -P0 option
From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Wed, 12 Jan 2005 09:14:14 -0800
This is one of those answers to which lots of exceptions can easily be raised - but, I offer it for what it's worth. I ran a series of "nmap -P0" scans locally, and watched them on the sniffer (ok Ethereal), and noticed that nmap seems to prefer TCP source ports above 32K. On a system with Gnome (and of course X-Windows) the source port never started below 44,200 even after a fresh reboot - while a telnet session from the same box used a source port of about 32,700. Following this up with a series (about a dozen or so) repeats of the same scan, source and target, showed that nmap 3.77 (on a RH 9 box) cycles around in the 32K to 64K source port range somewhat randomly, but usually in jumps of 4K-8K increments or decrements. This is compared to a telnet attempt (same source and target) which started at 32,771, and incremented one by one. Trying this experiment on a linux box (RH9) with no X-Windows whatsoever, nmap started with a source port of 44,250, while a telnet session attempt (source and destination addresses the same, but done AFTER the nmap scan) used a source port of 32768. The source port used by an nmap scan can be specified (--source_port <portnumber>), although I've never bothered - AND - the man pages note that this is a "request" not a "command". Nmap also seems to use the same source port for the full range of scans. When I did NOT specify the the source port (3rd test run), nmap incremented the source port to 48,971. So - bottom line here seems to indicate the following conclusions: 1) A really stealthy "nmap -P0" scan, is not going to be caught - as such, 2) You can look for SYN packets with a source port of 44,200 or higher, but you're going to get a LOT of false positives - and if the source port is forcibly set - a LOT of false negatives. 3) The identification of an "nmap -P0" scan would best be done in post-processing where you can look for SYN packets with multiple destination ports and a common source port. An interesting use of 30 minutes of my time. It would be informative to hear from other folks trying the same thing on other O/S's (Windows, FreeBSD, NetBSD, etc.), although I suspect that the choices here are nmap's, not the O/S. By the way, these were all run as root! Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of linux Sent: Sunday, January 09, 2005 9:11 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] snort rule to detect nmap portscan with -P0 option dear all, I'm using snort and snortsam in my organization to keep watch on all network activity. To block suspicious activity i have configure snortsam along with snort.. everythign is working fine .. But i noticed that port scan attack plcaed with -P0 option are not getting detected . Pl help me out to detect that also . With regards linux admin ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rule to detect nmap portscan with -P0 option Nilesh (Jan 10)
- <Possible follow-ups>
- snort rule to detect nmap portscan with -P0 option linux (Jan 11)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Frank Knobbe (Jan 12)
- RE: snort rule to detect nmap portscan with -P0option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)