distinguish beetween portsweep and nmap os fingerprint

mirjam_ehb · ‎04-23-2008

Hy all!

My IDS isnt able to distinguish between 3045 NMAP Os Fingerprint and 3002 TCP SYN Port Sweep.. It only shows my the Portsweep..

I use NMAP and i put in the command -O and make a quickscan..

Why is this so? and how can y change this?

Thank you all..

scothrel · ‎04-23-2008

I'll ask the signature team to take a look at 3046 NMAP OS Fingerprint. My quick glance leads me to think that its missing a piece of signature info.

SC

scothrel · ‎04-23-2008

The signature team tested the signature and said that its working as expected. They reported that it fires (short run):

Sig 1315.0 = 2

Sig 1330.12 = 14

Sig 3002.0 = 1

Sig 3040.0 = 8

Sig 3041.0 = 8

Sig 3046.0 = 15 <- nmap sig.

Sig 6187.0 = 3

you might check to see if you have any drop or modify actions on any of the other signatures...they could be compromising the detection.

SC

mirjam_ehb · ‎04-24-2008

i have drop all modification and have tested it again.. but nothing only the sweep was in the eventviewer..

How do the team test the signature 3046?

I make it whit NMAP and the option -O..

But thank you so much for your response!!!

miri

scothrel · ‎04-24-2008

The sig team used the current Metasploit release, which has nmap packaged with it. They used the gui front-end from Metasploit to run it.

I have attached the pcap file they captured from the session...looks like a nasty port scan of a box.

SC

mirjam_ehb · ‎04-24-2008

hy.. thank you...

I have download metasploit but i cant find any expoit for the fingerprint.. you know which one it is?

im sorry i am new in security things! ;)

scothrel · ‎04-25-2008

I've been told that you have to download the latest version for Windows. It is supposed to ask if you want to install a bundle called "nmapfe" or something...apparently that installs nmap and a front-end for it. I haven't installed it before...so your mileage may vary.

SC