The signature team tested the signature and said that its working as expected. They reported that it fires (short run):

Sig 1315.0 = 2

Sig 1330.12 = 14

Sig 3002.0 = 1

Sig 3040.0 = 8

Sig 3041.0 = 8

Sig 3046.0 = 15 <- nmap sig.

Sig 6187.0 = 3

you might check to see if you have any drop or modify actions on any of the other signatures...they could be compromising the detection.

SC

i have drop all modification and have tested it again.. but nothing only the sweep was in the eventviewer..

How do the team test the signature 3046?

I make it whit NMAP and the option -O..

But thank you so much for your response!!!

miri

The sig team used the current Metasploit release, which has nmap packaged with it. They used the gui front-end from Metasploit to run it.

I have attached the pcap file they captured from the session...looks like a nasty port scan of a box.

SC

hy.. thank you...

I have download metasploit but i cant find any expoit for the fingerprint.. you know which one it is?

im sorry i am new in security things! ;)

I've been told that you have to download the latest version for Windows. It is supposed to ask if you want to install a bundle called "nmapfe" or something...apparently that installs nmap and a front-end for it. I haven't installed it before...so your mileage may vary.

SC