捕获SYN扫描的规则 [英] Rule for capturing SYN-scanning

问题描述

我需要编写一个规则来捕获 SYN 扫描.
我试过这个:alert tcp any any ->any any (flags:S,12; msg:"SYN"; sid: 1231213;)
然后尝试扫描:nmap -sS myIP 但这不会输出SYN"
如何写出正确的规则?谢谢.

I need to write a rule that captures the SYN-scanning.
I tried this: alert tcp any any -> any any (flags:S,12; msg:"SYN"; sid: 1231213;)
then try to scan: nmap -sS myIP but this does not output "SYN"
How to write a correct rule? Thanks.

推荐答案

尝试将 flags:S,12 更改为 flags:S 作为 Snort 手册 状态:

Try to change flags:S,12 to flags:S as the Snort manual states:

保留位1"和2"已分别替换为C"和E"，以匹配 RFC 3168将显式拥塞通知 (ECN) 添加到 IP".'1' 和 '2' 的旧值对于 flag 关键字仍然有效，但现在已弃用.

The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". The old values of '1' and '2' are still valid for the flag keyword, but are now deprecated.

所以 12 将检查是否设置了两个保留位，这可能不是您想要的.此外，据我所知，文档 flags:S 将匹配仅具有 SYN 集的数据包，我猜这在您的情况下应该是正确的.如果你想匹配一些标志而不考虑其他标志，你可以使用 *.

So 12 will check if the two reserved bits are set which is probably not what you want. Also as I understand the documentation flags:S will match packets with only SYN set which should be correct in your case I guess. If you want to match some flags regardless of other flags you can use *.

这篇关于捕获SYN扫描的规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！