Re: Rule to detect NMAP FIN Stealth Scan

[Patrick Mullen <pmullen () sourcefire com>]

Look into the snort portscan preprocessor and enable it.

https://www.snort.org/faq/readme-sfportscan

That's a pretty odd reason to block access, though.  But, hey, ISPs are
allowed to have whatever policies they want.



Thanks,

~Patrick


On Mon, Jul 10, 2017 at 1:18 PM, Joe Magueta <joe () pcwe ca> wrote:

> Hi all.
>
>
>
> I’m new to SNORT and have received information from my ISP that they are
> blocking my connection because there is an “NMAP FIN Stealth Scan”
> happening from my network. Is there a rule that exists already to detect
> this? If not can anyone help me setup a rule on SNORT to detect the scan
> and the device/s performing it?
>
> Any help is appreciated.
>
>
>
> Thank you.
>
>
>
> Joe
>
>
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


-- 
Patrick Mullen
Response Research Manager
Cisco TALOS

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!