Re: nmap tcp connect scan prevention

[<wkitty42 () windstream net>]

On Saturday, September 21, 2013 8:02 AM, Meysam Farazmand <farazmand.meisam () gmail com> wrote: 
> i need a rule to prevent nmap tcp connect scan (-sT option).anybody know about this?

have you done any testing and caught any packets with a tool like tcpdump? packet captures (aka pcaps) will give you a 
lot of information for creating your rules...

FWIW: there are numerous nmap related rules in the emergingthreats rules sets but none of them specifically state that 
they are for -sT (connection scanning)...

is there only one connect attempt and then nothing more? perhaps you can detect connections with no other traffic in X 
amount of time... perhaps even multiple connections on multiple ports from the same ip within X amount of time...

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!