distinguish beetween portsweep and nmap os fingerprint

Unanswered Question
Apr 23rd, 2008
User Badges:

Hy all!

My IDS isnt able to distinguish between 3045 NMAP Os Fingerprint and 3002 TCP SYN Port Sweep.. It only shows my the Portsweep..

I use NMAP and i put in the command -O and make a quickscan..



Why is this so? and how can y change this?


Thank you all..



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scothrel Wed, 04/23/2008 - 11:40
User Badges:
  • Cisco Employee,

I'll ask the signature team to take a look at 3046 NMAP OS Fingerprint. My quick glance leads me to think that its missing a piece of signature info.


SC

scothrel Wed, 04/23/2008 - 19:27
User Badges:
  • Cisco Employee,

The signature team tested the signature and said that its working as expected. They reported that it fires (short run):


Sig 1315.0 = 2

Sig 1330.12 = 14

Sig 3002.0 = 1

Sig 3040.0 = 8

Sig 3041.0 = 8

Sig 3046.0 = 15 <- nmap sig.

Sig 6187.0 = 3


you might check to see if you have any drop or modify actions on any of the other signatures...they could be compromising the detection.


SC

mirjam_ehb Thu, 04/24/2008 - 00:35
User Badges:

i have drop all modification and have tested it again.. but nothing only the sweep was in the eventviewer..


How do the team test the signature 3046?


I make it whit NMAP and the option -O..


But thank you so much for your response!!!

miri

scothrel Thu, 04/24/2008 - 10:02
User Badges:
  • Cisco Employee,

The sig team used the current Metasploit release, which has nmap packaged with it. They used the gui front-end from Metasploit to run it.

I have attached the pcap file they captured from the session...looks like a nasty port scan of a box.


SC



mirjam_ehb Thu, 04/24/2008 - 11:33
User Badges:

hy.. thank you...


I have download metasploit but i cant find any expoit for the fingerprint.. you know which one it is?

im sorry i am new in security things! ;)

scothrel Fri, 04/25/2008 - 13:00
User Badges:
  • Cisco Employee,

I've been told that you have to download the latest version for Windows. It is supposed to ask if you want to install a bundle called "nmapfe" or something...apparently that installs nmap and a front-end for it. I haven't installed it before...so your mileage may vary.


SC

Actions

This Discussion