Snort mailing list archives
question ? -> (MISC Large ICMP Packet)
From: cdowns <cdowns () lifeatzero com>
Date: Sun, 30 Dec 2001 13:07:59 -0500
Morning All, Out of curiosity I decided to check my network for port 5000 tcp. Just for the hell of it and to see how Snort will react to someone snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell. here I used a really basic NMAP Stealth Syn scan and here is the reply in the /var/log/snort/alert: Scan: blasphemy# nmap -sS -p 5000 64.28.89.32/27 Logged: [**] [1:499:1] MISC Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 2] 12/30-12:56:06.091068 24.128.143.28 -> 64.28.89.63 ICMP TTL:17 TOS:0x0 ID:26834 IpLen:20 DgmLen:28 Type:8 Code:0 ID:32253 Seq:156 ECHO [Xref => http://www.whitehats.com/info/IDS246] Obviously I deny all Traffic to these high ports but stumped to the output. Can anyone explain why Snort does not see a NMAP Syn scan or does stealth mode actually work ? thanks, ~>D
Current thread:
- question ? -> (MISC Large ICMP Packet) cdowns (Dec 30)
- RE: question ? -> (MISC Large ICMP Packet) Ofir Arkin (Dec 30)