1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
Rule:
--
Sid:
111-10
--
Summary:
This event is generated when the pre-processor stream4
detects network traffic that may constitute an attack.
--
Impact:
This may indicate scanning activity.
--
Detailed Information:
The pre-processor stream4 has detected network traffic that may indicate
an Xmas Tree scan is in progress. That is, packets with the FIN, URG and
PUSH flags set have been detected.
In this case, indications are that the tool Nmap is in use.
--
Affected Systems:
All systems
--
Attack Scenarios:
An attacker may utilize scanning techniques to determine possible points
of exploitation against a host.
--
Ease of Attack:
Simple. Many scanning tools exist.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Check the target host for signs of compromise.
Ensure the system is up to date with any appropriate vendor supplied patches.
--
Contributors:
Martin Roesch <roesch@sourcefire.com>
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
