Snort mailing list archives
blocking nmap -P0 attack
From: N B <snrlist () gmail com>
Date: Mon, 10 Jan 2005 18:22:15 +0530
dear all, I'm using snort and snortsam in my organization to keep watch on all network activity. To block suspicious activity i have configure snortsam along with snort.. everythign is working fine .. But i noticed that port scan attack plcaed with -P0 option are not getting detected . the rules what i'm using to block icmp packets with 0 payload are as belowalert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"0 byte ping";dsize:0; sid: 111111; fwsam: dst, 10 mins;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"0 byte ping";dsize:0; sid: 111111; fwsam: src, 10 mins;) alert icmp any any -> $HOME_NET 1024: any (msg:"0 byte ICMP PING NMAP";dsize:0; sid: 111112; fwsam: src, 10 mins;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"0 byte icmp ping nmap";dsize:0; sid: 111113; fwsam: src, 10 mins;) alert tcp 192.168.x.y any -> any any (flags: A; ack: 0; msg:"0 byte NMAP TCP ping"; sid: 1235; fwsam: src, 12 mins;) alert tcp 192.168.x.y any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping"; sid: 1236; fwsam: src, 2 mins;) alert icmp 192.168.x.y any -> $EXTERNAL_NET any (msg:"0 byte NMAP ICMP PING";dsize: 0; sid: 1414; fwsam: src, 12 mins;) alert icmp 192.168.x.y any -> $HOME_NET any (msg:"0 NMAP ICMP ping";dsize:0; sid: 1415; fwsam: src, 12 mins;) alert icmp 192.168.x.y any -> $EXTERNAL_NET any ( msg:"0 BYTE NMAP ICMP ping"; sid: 1416; fwsam: src, 12 mins;)
Pl help me out to detect that also . With regards linux admin ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- blocking nmap -P0 attack N B (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)