04-23-2008 09:17 AM - edited 03-10-2019 04:04 AM
Hy all!
My IDS isnt able to distinguish between 3045 NMAP Os Fingerprint and 3002 TCP SYN Port Sweep.. It only shows my the Portsweep..
I use NMAP and i put in the command -O and make a quickscan..
Why is this so? and how can y change this?
Thank you all..
04-23-2008 11:40 AM
I'll ask the signature team to take a look at 3046 NMAP OS Fingerprint. My quick glance leads me to think that its missing a piece of signature info.
SC
04-23-2008 07:27 PM
The signature team tested the signature and said that its working as expected. They reported that it fires (short run):
Sig 1315.0 = 2
Sig 1330.12 = 14
Sig 3002.0 = 1
Sig 3040.0 = 8
Sig 3041.0 = 8
Sig 3046.0 = 15 <- nmap sig.
Sig 6187.0 = 3
you might check to see if you have any drop or modify actions on any of the other signatures...they could be compromising the detection.
SC
04-24-2008 12:35 AM
i have drop all modification and have tested it again.. but nothing only the sweep was in the eventviewer..
How do the team test the signature 3046?
I make it whit NMAP and the option -O..
But thank you so much for your response!!!
miri
04-24-2008 10:02 AM
04-24-2008 11:33 AM
hy.. thank you...
I have download metasploit but i cant find any expoit for the fingerprint.. you know which one it is?
im sorry i am new in security things! ;)
04-25-2008 01:00 PM
I've been told that you have to download the latest version for Windows. It is supposed to ask if you want to install a bundle called "nmapfe" or something...apparently that installs nmap and a front-end for it. I haven't installed it before...so your mileage may vary.
SC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: