[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Stealth Scan Detection
From: Simon Edwards <simon () simonzone ! com>
Date: 2001-09-28 16:11:32
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
First, I read from the book of nmap:
"
- -sS
TCP SYN scan: This technique is often referred to as "half-open" scanning,
because you don't open a full TCP connection. You send a SYN packet, as if
you are going to open a real connection and you wait for a response. A
SYN|ACK indicates the port is listening. A RST is indicative of a
non-listener. If a SYN|ACK is received, a RST is immediately sent to tear
down the connection (actually our OS kernel does this for us).
"
Anyone here know anything about detecting this kind of scan using iptables?
The best I've come up with is:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST
RST -j LOG --log-prefix "ABORTED "
which, I think, basically logs TCP connections that are aborted using a RST
packet (which should not be often). Can any one do better? I'm no TCP expert.
Are there any draw backs with detection half-open scans like this?
TIA,
- --
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAju0oTQACgkQuIuDmTrvhSathACbB/SIpE2qFzjte7V+Fwh5hO6H
v6oAnj16bavH9lugBanc0YxixWZXZ/68
=JAY4
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic