Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

distinguish beetween portsweep and nmap os fingerprint

Hy all!

My IDS isnt able to distinguish between 3045 NMAP Os Fingerprint and 3002 TCP SYN Port Sweep.. It only shows my the Portsweep..

I use NMAP and i put in the command -O and make a quickscan..

Why is this so? and how can y change this?

Thank you all..

  • Intrusion Prevention Systems/IDS
6 REPLIES
Cisco Employee

Re: distinguish beetween portsweep and nmap os fingerprint

I'll ask the signature team to take a look at 3046 NMAP OS Fingerprint. My quick glance leads me to think that its missing a piece of signature info.

SC

Cisco Employee

Re: distinguish beetween portsweep and nmap os fingerprint

The signature team tested the signature and said that its working as expected. They reported that it fires (short run):

Sig 1315.0 = 2

Sig 1330.12 = 14

Sig 3002.0 = 1

Sig 3040.0 = 8

Sig 3041.0 = 8

Sig 3046.0 = 15 <- nmap sig.

Sig 6187.0 = 3

you might check to see if you have any drop or modify actions on any of the other signatures...they could be compromising the detection.

SC

New Member

Re: distinguish beetween portsweep and nmap os fingerprint

i have drop all modification and have tested it again.. but nothing only the sweep was in the eventviewer..

How do the team test the signature 3046?

I make it whit NMAP and the option -O..

But thank you so much for your response!!!

miri

Cisco Employee

Re: distinguish beetween portsweep and nmap os fingerprint

The sig team used the current Metasploit release, which has nmap packaged with it. They used the gui front-end from Metasploit to run it.

I have attached the pcap file they captured from the session...looks like a nasty port scan of a box.

SC

New Member

Re: distinguish beetween portsweep and nmap os fingerprint

hy.. thank you...

I have download metasploit but i cant find any expoit for the fingerprint.. you know which one it is?

im sorry i am new in security things! ;)

Cisco Employee

Re: distinguish beetween portsweep and nmap os fingerprint

I've been told that you have to download the latest version for Windows. It is supposed to ask if you want to install a bundle called "nmapfe" or something...apparently that installs nmap and a front-end for it. I haven't installed it before...so your mileage may vary.

SC

313
Views
0
Helpful
6
Replies