Re: Request for discussion on defending against specific Nmap TCP syn and version scans.

[krantikari26 () 30gigs com]

hai gus

see if u try to analyse the packets using ethereal , 
that the tcp conversations is deffierent in both te cases so for the case 

a. betwenn namp and webserver

syn-synack-rst-syn-synack-getrequest

b.between browser and webserver 

syn-synack-ack-getrequest


so depanding up the pattern of packets from particular host we can design a snort rule to detect the legtimate user and 
the hacker request
few points can help to desighn a rule

1. the namp will send on "GET / HTTP 1.1 /r/n"
in the request so it can be detected , whereas the normal browser will send other values too like user-agent 
,accept-language etc,sothis can help us to design the rule

2. the sequence  number  can also help and it will be different in both the type of conversations,

3.to normal conversation websever will send the code=200 ok 
where as in nmap converstion it will send 
code=404 object not found 

Please comment

kkdear

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------