File: 1228.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (70 lines) | stat: -rw-r--r-- 1,561 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Rule:

--
Sid:
1228

--
Summary:
A nmap XMAS scan was detected.

--
Impact:
System reconnaissance that may include open/closed/firewalled ports,
ACLs.

--
Detailed Information:
Nmap sets the URG PSH and FIN bits as part of it's XMAS scan.
Typically, a closed port will respond with an ACK RST, whereas an open
port may not respond at all.  However, this varies from machine to
machine, and also depends on what (if any) filtering policies are in
place between the hosts in question.

--
Affected Systems:
	All systems

--
Attack Scenarios:
As part of information gathering that may occur before a more
dedicated attack, an attacker may choose to use nmap's XMAS scan to
determine open/closed ports.

__
Ease of Attack:
Trivial.  Nmap is freely available to anyone who wishes to use it.
The only requirement is root/elevated privledges (the XMAS scan
requires this) and a lack of proper filtering between the two
machines.

--
False Positives:
None Known. The FIN PSH and URG flags should never be seen together
in normal TCP traffic.

--
False Negatives:
None Known

--
Corrective Action:
Determine what ports may have responded as being open, and what clues
that may give an attacker relating to potential attacks.
Additionally, investigate the use of proper ingress/egress filtering.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Jon Hart <warchild@spoofed.org>

-- 
Additional References:

SANS:
http://rr.sans.org/firewall/egress.php

--