Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question ? -> (MISC Large ICMP Packet)

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 03 Jan 2002 17:43:58 -0500
Well.. this "stealth" mode of nmap is not *that* stealthy, ie: it does genuinely start the connection process, and all of the packets generated by this scan are completely legal and occur in normal traffic. For that matter snort won't log a -sT connect() scan of a single port either, unless spade calls it anomalous in which case either scan would be logged. These kinds of scans, and super-slow port scans are why the spade preprocessor exists in the first place.
The NMAP "syn" scan generates a 100% normal, genuine syn packet to initiate a connection, but instead of acking the syn-ack packet that comes back, it sends a RST instead. This behavior is also what will happen if a machine tries to open a connection but times out before a syn-ack is generated or if some bizarre failure kills the connecting process on the originating side.
I believe (but could be wrong) that the only way to detect these scans would be a stateful inspection of the stream. You would need to detect a syn, followed promptly by a syn-ack, followed promptly by a rst packet. And even that might false like crazy on real-world traffic, I'm not sure how common it is for a process to fault while in the middle of a connection.
However, if you are filtering port 5000, no syn-ack will be generated, no rst will be sent, thus nothing abnormal at all happens that snort could detect (except spade). That said snort does not detect this kind of scan as stealth activity even with stream4's detect_state_problems feature enabled and even if the port is an unfiltered port. Spade picks up the packets going to unusual ports, like 5000, but not -sS against a webserver's port 80, for example. 

(p.s. I'm using snort 1.8.2 with spade enabled if it matters to anyone).
Also if the scan was directed at a port range the port scan preprocessor would likely catch it. 

At 01:07 PM 12/30/2001 -0500, cdowns wrote:

Morning All,
Out of curiosity I decided to check my network for port 5000 tcp. Just for the hell of it and to see how Snort will react to someone snooping for the new Xsploit.c tcp 5000 windows ME/XP remote DOS/Shell. here I used a really basic NMAP Stealth Syn scan and here is the reply in the /var/log/snort/alert: 

Scan:
blasphemy# nmap -sS -p 5000 64.28.89.32/27

<snip>
Obviously I deny all Traffic to these high ports but stumped to the output. Can anyone explain why Snort does not see a NMAP Syn scan or does stealth mode actually work ? 

thanks,
~>D
Previous By Date Next
Previous By Thread Next

Current thread: