I need to write a rule that captures the SYN-scanning.
I tried this: alert tcp any any -> any any (flags:S,12; msg:"SYN"; sid: 1231213;)
then try to scan: nmap -sS myIP but this does not output "SYN"
How to write a correct rule? Thanks.
Rule for capturing SYN-scanning
Asked Answered
Why? Just write what I'm doing wrong –
Zygoma
For one, this isn't a programming question and probably belongs on superuser. For another, what exactly is the use case for this? responding to a SYN flood? nmapping every address that sends you a SYN will do nothing but bake your connection more in that case, and your ISP will probably see you port scanning hundreds of IPs and knock you offline. That's implying the source address isn't spoofed anyway, which it frequently is. Also, if you're behind a router you won't see SYN flood traffic at all, and the only SYNs you get will be from legitimate sources. –
Ways
Nmap and snort running on local computer. I just want print "SYN" to each packet with a flag S. –
Zygoma
Try to change flags:S,12 to flags:S as the Snort manual states:
The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". The old values of '1' and '2' are still valid for the flag keyword, but are now deprecated.
So 12 will check if the two reserved bits are set which is probably not what you want. Also as I understand the documentation flags:S will match packets with only SYN set which should be correct in your case I guess. If you want to match some flags regardless of other flags you can use *.
© 2022 - 2024 — McMap. All rights reserved.