Re: Question about a bleeding-edge rule related to nmap

[Stef <stefmit () gmail com>]

Answering my own post: got the first one (1.) - sorry - the online
docs seem to be more complete for this specific subject, than the
Snort 2.1 book I was reading ... :(

Stef


On Thu, 23 Dec 2004 11:35:02 -0600, Stef <stefmit () gmail com> wrote:
> Hi, everyone,
>
> I am having some problems with a specific bleeding-edge rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN
> NMAP -f -sN"; dsize:0; ack:0; fragbits:!M; flags:0,12; window:2048;
> reference:arachnids,162; classtype:attempted-recon; sid:2000544;
> rev:1;)
>
> in regards to;
> 1. what is the 0,12 in the flags? I am re-reading the docs, and I
> cannot figure out what it means, probably because I cannot see what
> needs to separate such values: "," - as in flags:0,1,2, or nothing, as
> in: flags:012?!?
> 2. has anybody seen this proving nmap -f sN scans, actually?!? I have
> been doing my own scan, and found the window size varying, andd/or not
> matching what I thought flags 1 or 2 may mean, etc.
> 3. if nmap -f -sN is supposed to fragment ("-f"), why would the rule
> look for a !M?
>
> TIA,
> Stef


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users