Snort mailing list archives
RE: snort rule to detect nmap portscan with -P0 option
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 12 Jan 2005 13:25:47 -0600
On Wed, 2005-01-12 at 09:14 -0800, Bob Konigsberg wrote:
This is one of those answers to which lots of exceptions can easily be raised - but, I offer it for what it's worth. [...] 1) A really stealthy "nmap -P0" scan, is not going to be caught - as such,
Stop! Stop! No offense, but before you post more silly answers, please do a "man nmap" or "nmap -h" and check what -P0 really does. Someone already mentioned that earlier, but I'll repeat it again. Well, here, straight from nmap -h: " -P0 Don't ping hosts (needed to scan www.microsoft.com and others)" If you don't understand what that is/does, please go back to Etherreal and compare scans with and without -P0. Hint, watch for pings before the scan.) I believe the original poster wanted to know how (quote) "to block icmp packets with 0 payload". The ICMP rules with dsize:0 are the correct fit. But this has nothing to do with -P0 or starting nmap with -P0. BTW, linux admin: You're first rule is wrong. It will block YOU (dst). The second rule, which you commented out, is correct. You want to use SRC to block EXTERNAL_NET. Regards, Frank PS: Anyone else claiming that a -P0 option is a special type of scan will be added to a CU filter list.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- snort rule to detect nmap portscan with -P0 option Nilesh (Jan 10)
- <Possible follow-ups>
- snort rule to detect nmap portscan with -P0 option linux (Jan 11)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Frank Knobbe (Jan 12)
- RE: snort rule to detect nmap portscan with -P0option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)