Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: [Snort-users] Snort and Random ACK Scans
From: Daniel van Balen (vdanieltrompo.com)
Date: Thu Aug 10 2000 - 10:32:39 CDT

On Wed, Aug 02, 2000 at 10:38:46AM -0700, Brent Erickson wrote:
> I am fairly new to Snort. I have run it on Linux and have been running it for 3 weeks on Windows NT. On Windows I am still running version 1.6 but with the latest 0727k rules, the backdoor rules, the vision rules and the scan-lib rules.
> Will Snort alert on random ACK scans ?? I have tried running NMAP in the mode:
> nmap -v -sA -PO -p6000-62000 target
> Snort does not alert, Snort however does catch and alert on the FIN and XMAS scans.

        I checked this out and it seems very interesting! As far as I can tell
snort does NOT detect ACK scans. But I don't have the lattest version of snort
either (maybe the lattest portscan preprocessor now detects ACK scans?).
        But i't seems like there's a bug in nmap:
        Acording to the nmap man page:

       -sA ACK scan: This advanced method is usually used to
              map out firewall rulesets. In particular, it can
              help determine whether a firewall is stateful or
              just a simple packet filter that blocks incoming
              SYN packets.

              This scan type sends an ACK packet (with random
              looking acknowledgement/sequence numbers) to the
              ports specified. If a RST comes back, the ports is
              classified as "unfiltered". If nothing comes back
              (or if an ICMP unreachable is returned), the port
              is classified as "filtered". Note that nmap usu­
              ally doesn't print "unfiltered" ports, so getting
              no ports shown in the output is usually a sign that
              all the probes got through (and returned RSTs).
              This scan will obviously never show ports in the
              "open" state.

        But there seems to be a bug in nmap... If you don't give it the "-v"
option, nmap will send ACK packets with random looking sequence numbers but
*with ack=0* which will be detected by the "NMAP TCP PING" rule. Is the Fyodor
on this list the nmap Fyodor?
        BTW I don't think it would be too hard to implement ACK scan detection
in the portscan preprocessor (please correct me if I'm wrong): Proceed as normal
but instead of looking for connection attempts (or Syn packets), look for ACK
packets to a bunch of ports all with *THE SAME* (random looking)
acknoledgement, sequence and (methinks) window values.

> I have studied several of the rule sets and it seems like Snort would catch the ack scans.

        Which rule(s) are you refering to?

> I am doing something wrong?

        Probably not... :-)


Snort-users mailing list