Snort mailing list archives

Re: Snort rule to detect nmap OS scan

From: Alberto Colosi <alcol () hotmail com>
Date: Wed, 29 Mar 2017 22:09:22 +0000

If I'm not wrong , nmap use different ways to detect os. You can sniff or check IP packets sent on the net so to create 
rules for each method.


In all case, don't forget HTTPD , and many various daemons that write out os and some other info.


If you are concerned to not publish os kind and version , don't forget daemons.


See if it helps https://nmap.org/book/osdetect.html


<https://nmap.org/book/osdetect.html>


Alberto Colosi

ICT NetWork & Security Engineer



________________________________
From: Solomon Melekwe <smelekwe () sleekfm com>
Sent: Wednesday, March 29, 2017 11:25 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Snort rule to detect nmap OS scan

Hi,
I am trying to find a rule to detect nmap os scan. I have rules that detect tcp port scans, but nothing that detects os 
scan. I need help please.


Sole

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users Info Page - SourceForge - Download, Develop ...<https://lists.sourceforge.net/lists/listinfo/snort-users>
lists.sourceforge.net
This list is for general discussion of Snort usage, problems, design, etc. Do not use this list, or the members of this 
list to market your or any other products to.


Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Snort Blog<http://blog.snort.org/>
blog.snort.org
Just released: Snort Subscriber Rule Set Update for 03/23/2017 We welcome the introduction of the newest rule release 
from Talos. In this release we introduced 26 new ...


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort rule to detect nmap OS scan Solomon Melekwe (Mar 29)
- Re: Snort rule to detect nmap OS scan Alberto Colosi (Mar 29)