Snort mailing list archives
Re: Rule to detect NMAP FIN Stealth Scan
From: Patrick Mullen <pmullen () sourcefire com>
Date: Mon, 10 Jul 2017 13:55:08 -0400
Look into the snort portscan preprocessor and enable it. https://www.snort.org/faq/readme-sfportscan That's a pretty odd reason to block access, though. But, hey, ISPs are allowed to have whatever policies they want. Thanks, ~Patrick On Mon, Jul 10, 2017 at 1:18 PM, Joe Magueta <joe () pcwe ca> wrote:
Hi all. I’m new to SNORT and have received information from my ISP that they are blocking my connection because there is an “NMAP FIN Stealth Scan” happening from my network. Is there a rule that exists already to detect this? If not can anyone help me setup a rule on SNORT to detect the scan and the device/s performing it? Any help is appreciated. Thank you. Joe _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- Patrick Mullen Response Research Manager Cisco TALOS
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Rule to detect NMAP FIN Stealth Scan Joe Magueta (Jul 10)
- Re: Rule to detect NMAP FIN Stealth Scan Patrick Mullen (Jul 10)