Snort mailing list archives
Re: question about rule detect nmap scan
From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 25 Jul 2014 09:21:10 -0500
On 07/25/2014 03:18 AM, Vuong D. Chieu wrote:
you can test help me rule detect scan nmap ? this is my rule but it is not working alert tcp any any -> any any (sid:1000005; gid:1; flow:stateless; ack:0; flags:S; ttl:>220; priority:1; msg:"nmap scan"; classtype:network-scan; rev:1; )
This will end up matching on more than just NMAP, consider adding an MSS value of zero as well. Cheers, Nathan ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- question about rule detect nmap scan Vuong D. Chieu (Jul 25)
- Re: question about rule detect nmap scan lists () packetmail net (Jul 25)