Snort mailing list archives
RE: snort rule to detect nmap portscan with -P0option
From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Wed, 12 Jan 2005 11:30:37 -0800
Hi Frank - I stand corrected with respect to the purpose of the original question - and I thank you for pointing that out. That said, I beg to differ with your assessment of "silly". I'm perfectly well aware of what an nmap -P0 scan does. Since I believed, at the time I wrote, that the idea was to identify an nmap scan without the ability to see a (non-existent) ping, then what I did was to concentrate on those aspects of the scan that WERE visible, and COULD be analyzed for possible alerting. As I also pointed out, the best way to identify those would be through post-processing of the alerts. Cheers, Bob -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Wednesday, January 12, 2005 11:26 AM To: Bob Konigsberg Cc: Snort-users () lists sourceforge net; snrlist () gmail com Subject: RE: [Snort-users] snort rule to detect nmap portscan with -P0option On Wed, 2005-01-12 at 09:14 -0800, Bob Konigsberg wrote:
This is one of those answers to which lots of exceptions can easily be raised - but, I offer it for what it's worth. [...] 1) A really stealthy "nmap -P0" scan, is not going to be caught - as such,
Stop! Stop! No offense, but before you post more silly answers, please do a "man nmap" or "nmap -h" and check what -P0 really does. Someone already mentioned that earlier, but I'll repeat it again. Well, here, straight from nmap -h: " -P0 Don't ping hosts (needed to scan www.microsoft.com and others)" If you don't understand what that is/does, please go back to Etherreal and compare scans with and without -P0. Hint, watch for pings before the scan.) I believe the original poster wanted to know how (quote) "to block icmp packets with 0 payload". The ICMP rules with dsize:0 are the correct fit. But this has nothing to do with -P0 or starting nmap with -P0. BTW, linux admin: You're first rule is wrong. It will block YOU (dst). The second rule, which you commented out, is correct. You want to use SRC to block EXTERNAL_NET. Regards, Frank PS: Anyone else claiming that a -P0 option is a special type of scan will be added to a CU filter list. ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort rule to detect nmap portscan with -P0 option Nilesh (Jan 10)
- <Possible follow-ups>
- snort rule to detect nmap portscan with -P0 option linux (Jan 11)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Frank Knobbe (Jan 12)
- RE: snort rule to detect nmap portscan with -P0option Bob Konigsberg (Jan 12)
- RE: snort rule to detect nmap portscan with -P0 option Bob Konigsberg (Jan 12)