Snort mailing list archives

Re: question about rule detect nmap scan

From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 25 Jul 2014 09:21:10 -0500

On 07/25/2014 03:18 AM, Vuong D. Chieu wrote:


you can test help me rule detect scan nmap ?
this is my rule but it is not working

alert tcp any any -> any any (sid:1000005; gid:1; flow:stateless; ack:0; flags:S; ttl:>220; priority:1; msg:"nmap 
scan"; classtype:network-scan; rev:1; )


This will end up matching on more than just NMAP, consider adding an MSS value
of zero as well.

Cheers,
Nathan


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

question about rule detect nmap scan Vuong D. Chieu (Jul 25)
- Re: question about rule detect nmap scan lists () packetmail net (Jul 25)