Snort mailing list archives
Re: Question about a bleeding-edge rule related to nmap
From: Stef <stefmit () gmail com>
Date: Thu, 23 Dec 2004 11:53:47 -0600
Answering my own post: got the first one (1.) - sorry - the online docs seem to be more complete for this specific subject, than the Snort 2.1 book I was reading ... :( Stef On Thu, 23 Dec 2004 11:35:02 -0600, Stef <stefmit () gmail com> wrote:
Hi, everyone, I am having some problems with a specific bleeding-edge rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -f -sN"; dsize:0; ack:0; fragbits:!M; flags:0,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000544; rev:1;) in regards to; 1. what is the 0,12 in the flags? I am re-reading the docs, and I cannot figure out what it means, probably because I cannot see what needs to separate such values: "," - as in flags:0,1,2, or nothing, as in: flags:012?!? 2. has anybody seen this proving nmap -f sN scans, actually?!? I have been doing my own scan, and found the window size varying, andd/or not matching what I thought flags 1 or 2 may mean, etc. 3. if nmap -f -sN is supposed to fragment ("-f"), why would the rule look for a !M? TIA, Stef
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about a bleeding-edge rule related to nmap Stef (Dec 23)
- Re: Question about a bleeding-edge rule related to nmap Stef (Dec 23)