RE: snort rule to detect nmap portscan with -P0 option

[Frank Knobbe <frank () knobbe us>]

On Wed, 2005-01-12 at 09:14 -0800, Bob Konigsberg wrote:
> This is one of those answers to which lots of exceptions can easily be
> raised - but, I offer it for what it's worth.
> [...]
> 1) A really stealthy "nmap -P0" scan, is not going to be caught - as such, 

Stop! Stop! No offense, but before you post more silly answers, please
do a "man nmap" or "nmap -h" and check what -P0 really does. Someone
already mentioned that earlier, but I'll repeat it again. Well, here,
straight from nmap -h:
"  -P0 Don't ping hosts (needed to scan www.microsoft.com and others)"

If you don't understand what that is/does, please go back to Etherreal
and compare scans with and without -P0. Hint, watch for pings before the
scan.)


I believe the original poster wanted to know how (quote) "to block icmp
packets with 0 payload". The ICMP rules with dsize:0 are the correct
fit. But this has nothing to do with -P0 or starting nmap with -P0.

BTW, linux admin: You're first rule is wrong. It will block YOU (dst).
The second rule, which you commented out, is correct. You want to use
SRC to block EXTERNAL_NET.


Regards,
Frank

PS: Anyone else claiming that a -P0 option is a special type of scan
will be added to a CU filter list.

Attachment: signature.asc
Description: This is a digitally signed message part