Snort mailing list archives

Re: How to confirm

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 04 Dec 2001 12:02:26 -0500

Another suggestion (if you are using the default rules which have NMAPalerts) would be to use false.net's net tool to run nmap on your machine.


http://nettool.false.net/

This script was completely open before, but several skript kiddies wereabusing it. You now need to enter an email address and a password will beemailed to you to use the tool. Still free to use at any rate.


Once you are in to the tool:

1) specify a host/ip to scan (your machine, please don't use this tool toscan other peoples boxes without their permission)

2) specify a port, preferably to a service you have running, but alertsshould be generated in any case.


3) select "host fingerprint" and click submit query.

This currently runs nmap V. 2.54BETA30 and puts the results back to you asa web page


a sample run against port 80 of a machine generates this nmap output:
---------------------------------------------

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host <deleted hostname> (<deleted IP>) appears to be up ... good.
Initiating Connect() Scan against <deleted hostname> (<deleted IP>)
Adding open port 80/tcp
The Connect() Scan took 0 seconds to scan 1 ports.

Warning: OS detection will be MUCH less reliable because we did not findat least 1 open and 1 closed TCP portFor OSScan assuming that port 80 is open and port 39023 is closed andneither are firewalled

Interesting ports on <deleted hostname> (<deleted IP>):
Port       State       Service
80/tcp     open        http

Remote operating system guess: <deleted>
OS Fingerprint:
<deleted>

Uptime 0.738 days (since Mon Dec  3 18:04:25 2001)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3411720 (Good luck!)
TCP ISN Seq. Numbers: <deleted>
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

Resulting snort alerts from my configuration (triggered rules are defaultones):

---------------------------------------------

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 80 from209.207.210.180 (STEALTH) [**]

12/04-12:48:46.091744

[**] [111:12:1] spp_stream4: NMAP FINGERPRINT (stateful) detection [**]
12/04-12:48:45.925817 209.207.210.180:53520 -> xx.xx.xx.xx:80
PROTO006 TTL:45 TOS:0x0 ID:14547 IpLen:20 DgmLen:60 DF
***A**** Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 12.8954 [**]
12/04-12:48:45.926720 209.207.210.180:53521 -> xx.xx.xx.xx:39023
PROTO006 TTL:45 TOS:0x0 ID:14548 IpLen:20 DgmLen:60 DF
******S* Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [1:628:1] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 2]
12/04-12:48:45.927640 209.207.210.180:53522 -> xx.xx.xx.xx:39023
PROTO006 TTL:45 TOS:0x0 ID:14549 IpLen:20 DgmLen:60 DF
***A**** Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[Xref => http://www.whitehats.com/info/IDS28]

[**] [111:10:1] spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection [**]
12/04-12:48:45.928641 209.207.210.180:53523 -> xx.xx.xx.xx:39023
PROTO006 TTL:45 TOS:0x0 ID:14550 IpLen:20 DgmLen:60 DF
**U*P**F Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**]
12/04-12:48:47.762579 209.207.210.180:53518 -> xx.xx.xx.xx:80
PROTO006 TTL:45 TOS:0x0 ID:14554 IpLen:20 DgmLen:60 DF
******** Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 12.2022 [**]
12/04-12:48:47.763334 209.207.210.180:53521 -> xx.xx.xx.xx:39023
PROTO006 TTL:45 TOS:0x0 ID:14555 IpLen:20 DgmLen:60 DF
******S* Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [111:10:1] spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection [**]
12/04-12:48:47.764010 209.207.210.180:53523 -> xx.xx.xx.xx:39023
PROTO006 TTL:45 TOS:0x0 ID:14556 IpLen:20 DgmLen:60 DF
**U*P**F Seq: 0x293274CA  Ack: 0x0  Win: 0xC00  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL

[**] [100:2:1] spp_portscan: portscan status from 209.207.210.180: 6connections across 1 hosts: TCP(5), UDP(1) STEALTH [**]

12/04-12:48:50.357279

[**] [100:2:1] spp_portscan: portscan status from 209.207.210.180: 1connections across 1 hosts: TCP(1), UDP(0) [**]

12/04-12:49:19.004006

[**] [100:3:1] spp_portscan: End of portscan from 209.207.210.180: TOTALtime(5s) hosts(1) TCP(6) UDP(1) STEALTH [**]

12/04-12:49:36.623138


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to confirm Sendhil Kumar (Dec 04)
- Re: How to confirm John Sage (Dec 04)
  - Re: How to confirm Matt Kettler (Dec 04)