[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Rule to detect NMAP FIN Stealth Scan
From:       Patrick Mullen <pmullen () sourcefire ! com>
Date:       2017-07-10 17:55:08
Message-ID: CAMhPpEUSy75fc9Cn1w1xNt4MZgF18sZBfVxjN-bUnnX1EuxZ7w () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Look into the snort portscan preprocessor and enable it.

https://www.snort.org/faq/readme-sfportscan

That's a pretty odd reason to block access, though.  But, hey, ISPs are
allowed to have whatever policies they want.



Thanks,

~Patrick


On Mon, Jul 10, 2017 at 1:18 PM, Joe Magueta <joe@pcwe.ca> wrote:

> Hi all.
>
>
>
> I'm new to SNORT and have received information from my ISP that they are
> blocking my connection because there is an "NMAP FIN Stealth Scan"
> happening from my network. Is there a rule that exists already to detect
> this? If not can anyone help me setup a rule on SNORT to detect the scan
> and the device/s performing it?
>
> Any help is appreciated.
>
>
>
> Thank you.
>
>
>
> Joe
>
>
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>


-- 
Patrick Mullen
Response Research Manager
Cisco TALOS

[Attachment #5 (text/html)]

<div dir="ltr">Look into the snort portscan preprocessor and enable \
it.<div><br></div><div><a \
href="https://www.snort.org/faq/readme-sfportscan">https://www.snort.org/faq/readme-sfportscan</a><br><div><br></div><div>That&#39;s \
a pretty odd reason to block access, though.   But, hey, ISPs are allowed to have \
whatever policies they \
want.</div><div><br></div><div><br></div><div><br>Thanks,</div><div><br></div><div>~Patrick</div><div><br></div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 10, 2017 at 1:18 PM, Joe \
Magueta <span dir="ltr">&lt;<a href="mailto:joe@pcwe.ca" \
target="_blank">joe@pcwe.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-CA" link="blue" vlink="purple">
<div class="m_-4598402922316150704WordSection1">
<p class="MsoNormal">Hi all.<u></u><u></u></p>
<p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal">I'm new to SNORT and have received information from my ISP that \
they are blocking my connection because there is an "<span style="color:#1f497d">NMAP \
FIN Stealth Scan</span>" happening from my network. Is there a rule that exists \
already  to detect this? If not can anyone help me setup a rule on SNORT to detect \
the scan and the device/s performing it?<u></u><u></u></p> <p class="MsoNormal">Any \
help is appreciated.<u></u><u></u></p> <p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal">Thank you.<span class="HOEnZb"><font \
color="#888888"><u></u><u></u></font></span></p><span class="HOEnZb"><font \
color="#888888"> <p class="MsoNormal"><u></u>  <u></u></p>
<p class="MsoNormal">Joe<u></u><u></u></p>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><u></u> \
<u></u></span></p> <p class="MsoNormal"><u></u>  <u></u></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org">Snort-sigs@lists.snort.org</a><br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-sigs</a><br> <br>
<a href="http://www.snort.org" rel="noreferrer" \
target="_blank">http://www.snort.org</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most &lt;a href=&quot; <a \
href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" \
target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>&quot;&gt;emerging \
threats&lt;/a&gt;!<br> <br></blockquote></div><br><br clear="all"><div><br></div>-- \
<br><div class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div>Patrick Mullen<br>Response Research Manager<br>Cisco \
TALOS</div></div></div> </div>



_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic