Stealth Scan Detection
Dennis Koslowski
dkoslowski@astaro.com
Thu, 4 Oct 2001 10:09:31 +0200
You could use the psd match (patch-o-matic), it detects such kind of
scans...
Greetings
--
Dennis Koslowski <dkoslowski@astaro.de> | Product Development
Astaro AG | http://www.astaro.de | +49-721-490069-0 | Fax -55
> -----Original Message-----
> From: Simon Edwards [mailto:simon@simonzone.com]
> Sent: Friday, September 28, 2001 6:12 PM
> To: netfilter@lists.samba.org
> Subject: Stealth Scan Detection
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi all,
>
> First, I read from the book of nmap:
>
> "
> - -sS
> TCP SYN scan: This technique is often referred to as
> "half-open" scanning,
> because you don't open a full TCP connection. You send a SYN
> packet, as if
> you are going to open a real connection and you wait for a
> response. A
> SYN|ACK indicates the port is listening. A RST is indicative of a
> non-listener. If a SYN|ACK is received, a RST is immediately
> sent to tear
> down the connection (actually our OS kernel does this for us).
> "
>
> Anyone here know anything about detecting this kind of scan
> using iptables?
>
> The best I've come up with is:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp
> --tcp-flags RST
> RST -j LOG --log-prefix "ABORTED "
>
> which, I think, basically logs TCP connections that are
> aborted using a RST
> packet (which should not be often). Can any one do better?
> I'm no TCP expert.
> Are there any draw backs with detection half-open scans like this?
>
> TIA,
>
> - --
> Simon Edwards
> simon@simonzone.com
> http://www.simonzone.com/
> Nijmegen, The Netherlands "ZooTV? You made the right choice."
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAju0oTQACgkQuIuDmTrvhSathACbB/SIpE2qFzjte7V+Fwh5hO6H
> v6oAnj16bavH9lugBanc0YxixWZXZ/68
> =JAY4
> -----END PGP SIGNATURE-----
>